Description
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enforce admin-action IAM checks; the MetricsHandler skips this call entirely. A restricted IAM user whose policy grants only access to their own bucket can read server-wide operational metrics including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RustFS 1.0.0-beta.7 and earlier allow any authenticated IAM user to call the /rustfs/admin/v3 which should have been protected by admin‑level authorization. The omission of the validate_admin_request call lets users obtain server‑wide operational metrics including disk I/O, network throughput, scanner cycle timing, and cluster RPC state. While the data itself may not reveal credentials, it provides attackers with valuable insight into cluster activity, resource usage, and potential bottlenecks that can aid in planning further attacks or reducing detection. The vulnerability is anchored in an improper privilege check (CWE‑862).

Affected Systems

The flaw affects RustFS distributed object storage with product identifier rustfs:rustfs. Versions 1.0.0‑beta.7 and all earlier releases are vulnerable. Later releases have hardened the metrics endpoint via proper admin authorization.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires legitimate IAM credentials, so any user who can log in can exploit the endpoint. Exploitation is straightforward: send a GET request to /rustfs/admin/v3/metrics after authenticating. No additional conditions or configuration changes are required, making it easily exploitable for any authenticated user.

Generated by OpenCVE AI on June 26, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to a version later than 1.0.0‑beta.7, where the metrics endpoint enforces admin authorization.
  • If an upgrade cannot be performed or the IAM service to deny access to the /rustfs/admin/v3/metrics path for non‑admin users, ensuring only explicit admin roles can query that endpoint.
  • Verify that all existing IAM users no longer have unintended access by reviewing audit logs for metrics requests after policy changes; adjust as necessary.

Generated by OpenCVE AI on June 26, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Sat, 27 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enforce admin-action IAM checks; the MetricsHandler skips this call entirely. A restricted IAM user whose policy grants only access to their own bucket can read server-wide operational metrics including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.
Title RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-27T03:07:19.913Z

Reserved: 2026-06-17T16:29:38.865Z

Link: CVE-2026-55838

cve-icon Vulnrichment

Updated: 2026-06-27T03:06:24.769Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:45:10Z

Weaknesses