CVE Catalog

CVE-2026-55188

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

In RustFS versions from 1.0.0-alpha.1 to 1.0.0-beta.9, an authorization bypass was found in the bucket replication admin API. The ListRemoteTargetHandler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket.

Risk Assessment

The risk is the disclosure of replication access keys and secret keys, as the returned BucketTarget objects include remote target credentials. This could lead to unauthorized data access or data leakage.

Recommendation

Immediately upgrade RustFS to version 1.0.0-beta.9 or later, which contains the fix for this vulnerability. Until the update is applied, restrict access to the replication admin API to trusted users only.

Original NVD description (English source)

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS