Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2.
Published: 2026-05-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RustFS publishes an unauthenticated HTTP GET endpoint that reveals licence meta‑data such as subject and expiry timestamp without any access control. Affected versions are those prior to 1.0.0-beta.2. The leak does not immediately allow code execution or privilege escalation, but it provides attackers with licence details that could be used for business intelligence or to assess system readiness. The normal outcome is a moderate confidentiality breach with a CVSS score of 6.9.

Affected Systems

RustFS 1.x running prior to 1.0.0-beta.2. Any deployment exposing the {“/rustfs/console/license”} endpoint is impacted. Versions 1.0.0-beta.2 and later contain the fix and are unaffected.

Risk and Exploitability

An attacker who can reach the console listener can issue a simple unsigned request and retrieve licence metadata. The vulnerability is not listed in the CISA KEV catalogue and its EPSS is unknown, but the CVSS score of 6.9 indicates a moderate risk. Because the endpoint does not require authentication, exploitation can be performed by anyone with network visibility into the console service.

Generated by OpenCVE AI on May 28, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to version 1.0.0-beta.2 or later, which removes the unauthenticated licence endpoint.
  • Restrict network access to the console listener so that only trusted internal hosts can reach it.
  • If an upgrade cannot be performed immediately, apply a temporary firewall rule or network policy to block external access to the /rustfs/console/license endpoint.

Generated by OpenCVE AI on May 28, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2.
Title RustFS: Unauthenticated RustFS console license endpoint exposes license metadata
Weaknesses CWE-200
CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rustfs Rustfs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:35:40.842Z

Reserved: 2026-05-18T19:50:18.695Z

Link: CVE-2026-47136

cve-icon Vulnrichment

Updated: 2026-05-28T19:35:34.298Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T19:16:39.753

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-47136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:45:27Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-306

    Missing Authentication for Critical Function