Lucene search
K

209 matches found

NVD
NVD
added 2026/06/26 8:17 p.m.7 views

CVE-2026-55838

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validateadminrequest to...

4.3CVSS0.00162EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 8:17 p.m.8 views

CVE-2026-55188

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist...

8.2CVSS0.00181EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 8:17 p.m.8 views

CVE-2026-55189

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers and t...

7.7CVSS0.00201EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 8:17 p.m.8 views

CVE-2026-49991

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely...

8.6CVSS0.00273EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:3 p.m.8 views

CVE-2026-55188

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist...

8.2CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 8:3 p.m.14 views

CVE-2026-55188

RustFS’s ListRemoteTargetHandler in versions 1.0.0-alpha.1 through 1.0.0-beta.8 contains an authorization bypass that only checks for credentials and neglects to verify replication or admin permissions. This allows an authenticated user without bucket/admin rights to list remote replication targe...

8.2CVSS5.8AI score0.00181EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 8:3 p.m.24 views

CVE-2026-55188 RustFS: ListRemoteTargetHandler authorization bypass leaks replication target credentials

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist...

8.2CVSS0.00181EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:1 p.m.8 views

CVE-2026-49991

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 8:1 p.m.15 views

CVE-2026-49991

RustFS 1.0.0-beta.4 is affected by a path traversal vulnerability in the Snowball auto-extract feature. Authenticated users with only PutObject permission on their own bucket can write arbitrary objects into other users’ buckets, breaking multi-tenant isolation. Root causes include: (1) No ../ sa...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:59 p.m.8 views

CVE-2026-55189

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers and t...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/26 7:59 p.m.37 views

CVE-2026-55189 RustFS: FTP frontend skips IAM authorization on object reads

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers and t...

7.7CVSS0.00201EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:59 p.m.20 views

CVE-2026-55189

RustFS (distributed object storage in Rust) contains a vulnerability from 1.0.0-alpha.1 through 1.0.0-beta.9 where enabling the FTP frontend lets FTP read and probe handlers bypass the IAM authorization function, allowing authenticated users to read objects and probe buckets regardless of IAM pol...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:57 p.m.7 views

CVE-2026-55838

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validateadminrequest to...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 7:57 p.m.8 views

CVE-2026-55838

CVE-2026-55838 (RustFS) : In versions up to 1.0.0-beta.7, the real-time metrics endpoint /rustfs/admin/v3/metrics is accessible to any valid IAM user, because MetricsHandler skips the admin-request validation that other admin handlers perform. As a result, a user whose policy allows only their ow...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:57 p.m.24 views

CVE-2026-55838 RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validateadminrequest to...

4.3CVSS0.00162EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.12 views

PT-2026-52909

Name of the Vulnerable Software and Affected Versions RustFS version 1.0.0-beta.4 Description Authenticated users with PutObject permission on their own bucket can exploit a path traversal issue in the Snowball auto-extract feature to write arbitrary objects into buckets belonging to other users,...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.15 views

PT-2026-52966

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.8 Description RustFS is a distributed object storage system built in Rust. The real-time metrics endpoint '/rustfs/admin/v3/metrics' is accessible to any valid IAM user, regardless of their assigned policy...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.12 views

PT-2026-52965

Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.1 through 1.0.0-beta.8 Description When the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without calling the IAM authorization function used by the FTP write/list...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-52964

Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.1 through 1.0.0-beta.8 Description An authorization bypass exists in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets verifies the existence of request...

8.2CVSS5.8AI score0.00181EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.10 views

CVE-2026-47136

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license...

6.9CVSS5.5AI score0.0031EPSS
Exploits0References1
Rows per page
Query Builder