CVE-2026-49991 Overview
CVE-2026-49991 is a path traversal vulnerability [CWE-22] in RustFS, a distributed object storage system built in Rust. The flaw affects RustFS version 1.0.0-beta.4 and resides in the Snowball auto-extract feature. Authenticated users holding only PutObject permission on their own bucket can write arbitrary objects into other tenants' buckets. The issue chains three defects: missing ../ sanitization during tar entry key normalization, Identity and Access Management (IAM) wildcard matching against raw uncleaned paths, and filesystem path cleaning that resolves ../ across bucket boundaries. Exploitation collapses multi-tenant isolation in a shared RustFS deployment.
Critical Impact
A low-privilege authenticated user can overwrite or plant objects in any bucket, undermining tenant isolation and data integrity across the cluster.
Affected Products
- RustFS 1.0.0-beta.4
- RustFS distributed object storage deployments exposing the Snowball auto-extract feature
- Multi-tenant RustFS clusters relying on IAM path-based authorization
Discovery Timeline
- 2026-06-26 - CVE-2026-49991 published to the National Vulnerability Database (NVD)
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-49991
Vulnerability Analysis
RustFS supports a Snowball-style bulk ingest that unpacks uploaded tar archives into object storage. During extraction, each tar entry key is treated as a target object name relative to the caller's bucket. The extraction pipeline fails to reject or normalize entries containing ../ traversal sequences. As a result, a crafted archive can escape the caller's bucket namespace.
The vulnerability spans three chained defects. First, tar entry key normalization preserves ../ components rather than stripping them. Second, IAM policy evaluation performs wildcard matching against the raw, uncleaned request path, so the authorization decision is made against a path that still references the caller's bucket. Third, the filesystem layer then cleans the path and resolves ../ segments across bucket boundaries, writing the object outside the authorized bucket.
Exploitation only requires an account with PutObject on a single bucket owned by the attacker. No user interaction is needed, and the attack is delivered over the network.
Root Cause
The root cause is inconsistent path handling between the authorization layer and the filesystem layer. Authorization sees the pre-normalized path and grants access based on the attacker-controlled bucket prefix, while the storage backend operates on the post-normalized path that traverses into another bucket. This time-of-check to time-of-use style mismatch, combined with absent input validation on tar entry names, produces the traversal.
Attack Vector
An authenticated attacker uploads a tar archive to their own bucket using the Snowball auto-extract endpoint. Archive entries carry keys such as ../victim-bucket/malicious-object. IAM allows the request because the raw path begins with the attacker's bucket. The extractor then writes each entry to a filesystem path where ../ resolution places the object inside victim-bucket. Verified public exploit code is not currently available. See the GitHub Security Advisory GHSA-f4vq-9ffr-m8m3 for technical details.
Detection Methods for CVE-2026-49991
Indicators of Compromise
- Snowball auto-extract requests containing tar entries whose keys include ../ or encoded traversal sequences such as %2e%2e%2f.
- Object write events where the resolved storage path resides in a bucket the requesting principal does not own.
- Unexpected object creation events in tenant buckets attributed to principals from unrelated tenants.
Detection Strategies
- Parse RustFS access logs to correlate the requesting principal's authorized bucket with the final resolved object path and alert on mismatches.
- Inspect tar archives submitted to the Snowball endpoint and flag any entry name containing .., absolute paths, or traversal encodings.
- Baseline per-tenant write patterns and alert on cross-tenant write anomalies emitted by the storage backend.
Monitoring Recommendations
- Enable verbose audit logging on the Snowball auto-extract handler, including original entry keys and post-normalization paths.
- Forward RustFS audit logs to a centralized analytics platform for cross-tenant anomaly identification.
- Monitor IAM decision logs for PutObject allows followed by writes outside the evaluated bucket scope.
How to Mitigate CVE-2026-49991
Immediate Actions Required
- Disable the Snowball auto-extract feature on RustFS 1.0.0-beta.4 deployments until an upstream fix is applied.
- Restrict PutObject permissions to trusted principals and remove broad wildcard grants that expose the extract endpoint.
- Audit object listings in all tenant buckets for files written by principals outside the tenant.
Patch Information
Refer to the RustFS GitHub Security Advisory GHSA-f4vq-9ffr-m8m3 for upstream fix status and upgrade guidance. Upgrade to a version that normalizes tar entry keys, evaluates IAM policy against the cleaned path, and constrains filesystem writes to the authorized bucket root.
Workarounds
- Block or proxy the Snowball auto-extract endpoint at the ingress layer for untrusted networks.
- Enforce archive pre-validation that rejects tar entries containing .., leading /, or non-UTF-8 traversal encodings before upload.
- Isolate tenants across separate RustFS instances or storage roots so that filesystem-level ../ resolution cannot cross tenant boundaries.
# Example ingress rule to block Snowball auto-extract until patched
# nginx example
location ~* /snowball {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

