Description
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
Published: 2026-06-26
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from the Snowball auto‑extract feature, where tar entries containing "../" are not cleaned before normalization. An authenticated user who can upload a tar archive can trick the system into writing objects into any bucket, including those owned by other users. This allows the attacker to overwrite, delete, or replace objects belonging to other tenants, thereby breaking multi‑tenant isolation and potentially exposing or corrupting sensitive data.

Affected Systems

RustFS distributed object storage system, version 1.0.0‑beta.4. The vulnerability is present only in this release; later releases include the fix.

Risk and Exploitability

The CVSS score is 8.6, indicating a high severity. The exploit requires authenticated PutObject access and the ability to trigger the Snowball auto‑extract process. An attacker can craft a tar archive that contains directory traversal entries; because the system processes these entries without sanitization, the attacker can write arbitrary objects to buckets of other users. Although the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the combination of authentication requirements and the ease of exploitation via the auto‑extract flow suggests that a realistic attacker could achieve significant damage.

Generated by OpenCVE AI on June 26, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the newest RustFS release that includes the path‑traversal fix.
  • If an upgrade cannot be performed immediately, disable the Snowball auto‑extract functionality or remove any auto‑extract configuration to prevent the vulnerable code from executing.
  • Apply strict IAM policies that grant PutObject permission only to the owner’s bucket and disable wildcard matching across buckets.

Generated by OpenCVE AI on June 26, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
Title RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection
Weaknesses CWE-22
CWE-862
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:01:29.896Z

Reserved: 2026-06-02T18:30:51.283Z

Link: CVE-2026-49991

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:30:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-862

    Missing Authorization