Description
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.
Published: 2026-06-26
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RustFS is a distributed object storage system built in Rust. From version 1.0.0-alpha.1 through 1.0.0-beta.9, the FTP frontend fails to invoke IAM authorization when processing read and probe operations, allowing any authenticated FTP user to retrieve or inspect objects in any bucket regardless of their IAM policy. This flaw can lead to the disclosure of sensitive data to users who should not have access, violating confidentiality.

Affected Systems

RustFS version 1.0.0-alpha.1 to with the FTP frontend enabled is affected. Any authenticated user connecting to the FTP listener can exploit the bypass.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Attackers must have network access to the FTP listener and be able to authenticate with any FTP credentials. Once authenticated, an attacker can read or probe any object in any bucket, regardless of IAM policy restrictions. The absence of additional prerequisites makes the exploit straightforward for automated scanners, increasing.

Generated by OpenCVE AI on June 26, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to version 1.0.0-beta.9 or later, where the FTP read and probe handlers have been fixed to invoke IAM authorization.
  • If an upgrade is not immediately possible, disable the FTP frontend service to prevent unauthorized object reads.
  • Restrict external network access to the FTP listener to only trusted networks and monitor FTP logs for anomalous access patterns.

Generated by OpenCVE AI on June 26, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.
Title RustFS: FTP frontend skips IAM authorization on object reads
Weaknesses CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T15:20:13.295Z

Reserved: 2026-06-16T15:20:43.086Z

Link: CVE-2026-55189

cve-icon Vulnrichment

Updated: 2026-06-29T15:03:47.420Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:45:10Z

Weaknesses