CVE-2026-55189 | RustFS is a distributed object storage system built in Rust.… | CVSS 7.7 HIGH

Description

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.

Metadata

CVE ID: CVE-2026-55189
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 15:20 UTC
Published: 2026-06-26 19:59 UTC
Last updated: 2026-06-26 19:59 UTC
Primary CWE: CWE-862
CWE-862: Missing Authorization
Vendor / Product: rustfs / rustfs
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
rustfs	rustfs	—	>= 1.0.0-alpha.1, <= 1.0.0-beta.8

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	CWE-862: Missing Authorization
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (1)

https://github.com/rustfs/rustfs/security/advisories/GHSA-3g29-xff2-92vp https://github.com/rustfs/rustfs/security/advisories/GHSA-3g29-xff2-92vp