Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server’s absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2.
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RustFS exposed the /profile/cpu and /profile/memory endpoints before ver 1.0.0‑beta.2 to unauthenticated users through a missing authentication whitelist. The CPU profiling handler performs a 60‑second capture per request, consuming substantial processor resources, while the response body includes the server’s absolute filesystem path, leaking internal information. These weaknesses constitute a privileged action without credentials that could allow an attacker to degrade performance or gather sensitive metadata.

Affected Systems

The vulnerability affects RustFS, the distributed object storage system written in Rust, in all versions prior to 1.0.0‑beta.2. Build configurations that use glibc are explicitly impacted because the profiling routine is invoked for supported builds. Any publicly accessible RustFS instance running an affected version is therefore vulnerable.

Risk and Exploitability

The flaw can be exercised with a simple HTTP request to /profile/cpu or /profile/memory, so exploitation is straightforward and does not require special credentials. The CVSS score of 8.8 indicates high severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the attack surface of wide‑area access to a Docker‑based service remains significant. The attack vector is inferred to be remote over HTTP; the potential impact includes prolonged CPU usage per request and disclosure of server paths.

Generated by OpenCVE AI on May 28, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to version 1.0.0‑beta.2 or later, which removes the authentication bypass and defaults the profiling endpoints to require credentials.
  • If an upgrade cannot be performed immediately, implement network‑level controls such as a reverse proxy or firewall rule to restrict access to /profile/cpu and /profile/memory to trusted networks only.
  • Configure the server or the profiling module to disable or restrict the /profile/cpu and /profile/memory handlers entirely, reducing the attack surface and preventing resource exhaustion.
  • Monitor HTTP traffic for repeated requests to the profiling endpoints and flag any anomalous CPU utilization as a potential abuse attempt.

Generated by OpenCVE AI on May 28, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server’s absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2.
Title RustFS: Authentication bypass in /profile/cpu and /profile/memory allows unauthenticated access to profiling handlers
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rustfs Rustfs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:36:42.212Z

Reserved: 2026-05-08T18:07:27.341Z

Link: CVE-2026-45044

cve-icon Vulnrichment

Updated: 2026-05-28T19:36:36.546Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T19:16:38.980

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-45044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:30:26Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function