Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55188

CVE-2026-55188: RustFS Auth Bypass Vulnerability

CVE-2026-55188 is an authorization bypass flaw in RustFS that allows authenticated users to access remote replication credentials without proper permissions. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-55188 Overview

CVE-2026-55188 is an authorization bypass vulnerability in RustFS, a distributed object storage system written in Rust. The flaw affects versions 1.0.0-alpha.1 through 1.0.0-beta.8 and resides in the bucket replication admin API. The ListRemoteTargetHandler verifies that request credentials exist but does not confirm that the caller holds replication or administrator permissions. Any authenticated user, even one without effective bucket or admin rights, can list remote replication target configuration. The response contains BucketTarget objects that include remote target credentials, exposing replication access keys and secret keys to unauthorized principals. The issue is resolved in 1.0.0-beta.9.

Critical Impact

Authenticated attackers with no privileges can extract replication access keys and secret keys, enabling lateral movement into remote object storage systems.

Affected Products

  • RustFS 1.0.0-alpha.1 through 1.0.0-beta.8
  • RustFS distributed object storage deployments exposing the admin API
  • Environments configured with remote bucket replication targets

Discovery Timeline

  • 2026-06-26 - CVE-2026-55188 published to the National Vulnerability Database
  • 2026-06-27 - Last updated in NVD database

Technical Details for CVE-2026-55188

Vulnerability Analysis

RustFS exposes an administrative API for managing bucket replication targets. The ListRemoteTargetHandler handler returns configured BucketTarget records for a given bucket. These records embed the credentials RustFS uses to authenticate against the remote replication endpoint, including access keys and secret keys.

The handler enforces authentication but omits an authorization check. Any principal presenting valid credentials can invoke the endpoint, regardless of whether the principal owns the bucket or holds administrative privileges. The disclosed credentials can then be reused to read, modify, or exfiltrate objects on the remote storage system. This weakness is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.

Root Cause

The root cause is a missing authorization check in the admin API request path. The handler validates presence of request credentials but skips policy evaluation against replication or administrator roles. Credentials stored inside BucketTarget objects are returned in cleartext within the API response body.

Attack Vector

An attacker authenticates to RustFS using any low-privileged account. The attacker sends a request to the list remote targets admin endpoint for a target bucket. RustFS returns the full BucketTarget payload, including the remote replication credentials, which the attacker uses to pivot to the remote object store. Exploitation requires network access to the RustFS admin API and a valid set of user credentials. Refer to the GitHub Security Advisory GHSA-796f-j7xp-hwf4 for the maintainer's technical write-up.

Detection Methods for CVE-2026-55188

Indicators of Compromise

  • Requests to the ListRemoteTargetHandler admin endpoint originating from accounts that do not own the target bucket
  • Successful admin API responses returned to non-administrative principals
  • Use of remote replication access keys from source addresses outside the RustFS replication worker pool

Detection Strategies

  • Audit RustFS admin API access logs for calls to list remote replication targets, correlating the caller identity against the assigned bucket owner and admin role membership
  • Alert on any principal invoking replication admin endpoints without a matching replication or admin policy binding
  • Monitor remote object storage providers for authentication events using replication credentials from unexpected network locations

Monitoring Recommendations

  • Enable verbose audit logging on RustFS admin endpoints and forward events to a centralized logging platform
  • Track credential usage of replication keys and rotate them if any list target request is observed from an unauthorized identity
  • Baseline normal replication traffic patterns and alert on anomalies in source, timing, or volume

How to Mitigate CVE-2026-55188

Immediate Actions Required

  • Upgrade all RustFS instances to version 1.0.0-beta.9 or later
  • Rotate every remote replication access key and secret key configured on affected clusters
  • Review admin API access logs for prior invocations of the list remote targets endpoint by non-admin users

Patch Information

The vulnerability is fixed in RustFS 1.0.0-beta.9. The patch adds the missing authorization check to the ListRemoteTargetHandler so only principals with replication or administrator permissions can enumerate remote targets. Full release notes and the fix commit are referenced in the RustFS Security Advisory GHSA-796f-j7xp-hwf4.

Workarounds

  • Restrict network access to the RustFS admin API to trusted management networks until the upgrade is applied
  • Remove or scope down low-privileged user accounts that do not require access to the RustFS deployment
  • Temporarily disable configured remote replication targets on non-critical buckets to reduce credential exposure
bash
# Upgrade RustFS to the patched release
cargo install rustfs --version 1.0.0-beta.9

# Verify the running version after restart
rustfs --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.