Description
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.
Published: 2026-06-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the ListRemoteTargetHandler within RustFS's bucket replication admin API. An authenticated user, regardless of their role, can invoke this handler to list remote replication targets. Because the handler only verifies the presence of credentials and does not enforce permission checks, the returned BucketTarget objects reveal remote target access keys and secrets. The disclosure of these credentials enables an attacker to access the replication target directly, compromising confidentiality of stored data and potentially facilitating further attacks on the target system.

Affected Systems

The affected product is RustFS, a distributed object storage system written in Rust. Releases from version 1.0.0-alpha.1 through 1.0.0-beta.8 contain the flaw. No other vendors are mentioned. The issue is specific to these versions; version 1.0.0-beta.9 and later contain a fix.

Risk and Exploitability

The CVSS score is 8.2, categorizing the vulnerability as high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The lack of a privilege check means any authenticated user can exploit the flaw; the attack vector is the REST API, requiring only valid authentication tokens. Because the API is exposed to the network, an attacker can repeatedly call the endpoint to enumerate replication targets and leak credentials. The impact is limited to confidentiality loss, but the exposed credentials could be leveraged for further attacks. Organizations should treat the issue as high risk and address it promptly.

Generated by OpenCVE AI on June 26, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to version 1.0.0-beta.9 or later, where the authorization check is restored.
  • Restrict access to the ListRemoteTargetHandler endpoint to administrators only, using network policies or API gateway rules.
  • Rotate any replication credentials that may have been exposed until a patched version is deployed.

Generated by OpenCVE AI on June 26, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.
Title RustFS: ListRemoteTargetHandler authorization bypass leaks replication target credentials
Weaknesses CWE-200
CWE-522
CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-27T03:11:05.352Z

Reserved: 2026-06-16T15:20:43.086Z

Link: CVE-2026-55188

cve-icon Vulnrichment

Updated: 2026-06-27T03:10:44.900Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:45:10Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-522

    Insufficiently Protected Credentials

  • CWE-862

    Missing Authorization

  • CWE-863

    Incorrect Authorization