Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55189

CVE-2026-55189: RustFS FTP Auth Bypass Vulnerability

CVE-2026-55189 is an authentication bypass flaw in RustFS FTP frontend that allows unauthorized access to objects and buckets bypassing IAM policies. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-55189 Overview

CVE-2026-55189 is a missing authorization vulnerability [CWE-862] in RustFS, a distributed object storage system written in Rust. The flaw affects versions from 1.0.0-alpha.1 up to (but not including) 1.0.0-beta.9. When the File Transfer Protocol (FTP) frontend is enabled, the FTP read and probe handlers dispatch requests directly to the storage backend. These handlers never invoke the Identity and Access Management (IAM) authorization function used by the FTP write and list handlers and the HTTP S3 path. Any authenticated FTP user can read objects, stat objects, and probe buckets regardless of IAM policy.

Critical Impact

Authenticated FTP users bypass IAM policies — including explicit Deny rules on s3:GetObject — to read, stat, and probe any object in any bucket.

Affected Products

  • RustFS 1.0.0-alpha.1 through 1.0.0-beta.8
  • RustFS deployments with the FTP frontend enabled
  • Fixed in RustFS 1.0.0-beta.9

Discovery Timeline

  • 2026-06-26 - CVE-2026-55189 published to the National Vulnerability Database (NVD)
  • 2026-06-29 - Last updated in NVD database

Technical Details for CVE-2026-55189

Vulnerability Analysis

RustFS exposes object storage through both an S3-compatible HTTP interface and an optional FTP frontend. The HTTP S3 path and the FTP write and list handlers call the shared IAM authorization function before dispatching requests to the storage backend. The FTP read handler (RETR) and probe handlers (SIZE, MDTM, CWD) skip this authorization step entirely.

As a result, IAM policy evaluation never runs for these FTP operations. An authenticated FTP user with a policy containing an explicit Deny on s3:GetObject can still retrieve object contents, read object metadata, and enumerate bucket structure. The confidentiality impact is high, while integrity and availability remain unaffected because write paths are correctly gated.

Root Cause

The root cause is missing authorization enforcement [CWE-862] on selected FTP command handlers. The FTP frontend contains two dispatch paths: a gated path used by write and list operations that calls the IAM check, and an ungated path used by RETR, SIZE, MDTM, and CWD that goes straight to the backend. The developers implemented policy enforcement in the write and list flow but did not extend it to read and probe operations.

Attack Vector

Exploitation requires network access to the FTP listener and valid FTP credentials. No user interaction is needed. An attacker authenticates to the FTP service, then issues CWD to enumerate buckets, SIZE or MDTM to identify target objects, and RETR to download object contents. Because the vulnerability changes the security scope from the FTP user context to the storage tenant boundary, the CVSS scope is marked as changed.

No public proof-of-concept code is referenced in the advisory. Technical details are documented in the RustFS GitHub Security Advisory.

Detection Methods for CVE-2026-55189

Indicators of Compromise

  • FTP RETR, SIZE, MDTM, or CWD commands from user accounts whose IAM policies explicitly deny s3:GetObject on the targeted buckets
  • FTP session activity accessing buckets or object paths outside the authenticated user's normal working set
  • High-volume FTP read traffic from a single authenticated principal enumerating multiple buckets

Detection Strategies

  • Correlate RustFS FTP access logs against IAM policy decisions from the HTTP S3 path to identify reads that would have been denied over S3
  • Alert on FTP CWD traversal patterns that cycle through multiple bucket names in a short time window
  • Baseline per-user FTP retrieval volume and flag deviations that indicate bulk enumeration

Monitoring Recommendations

  • Enable verbose FTP command logging on the RustFS listener and forward events to a centralized data lake for retention and search
  • Ingest RustFS and object storage telemetry into an AI SIEM such as Singularity Data Lake to normalize events and run cross-source detections against identity activity
  • Track authentication events on the FTP service and correlate with subsequent object access to attribute reads to specific principals

How to Mitigate CVE-2026-55189

Immediate Actions Required

  • Upgrade RustFS to version 1.0.0-beta.9 or later, which contains the fix
  • Disable the FTP frontend on any RustFS deployment that cannot be immediately upgraded
  • Rotate FTP credentials issued to users whose access may have been abused prior to patching
  • Audit FTP access logs for read and probe activity against buckets the caller was not authorized to access

Patch Information

The vulnerability is fixed in RustFS 1.0.0-beta.9. The patch adds the IAM authorization call to the FTP read and probe handlers so they enforce the same policy checks as the write, list, and S3 HTTP paths. See the RustFS GitHub Security Advisory GHSA-3g29-xff2-92vp for full remediation details.

Workarounds

  • Disable the FTP listener entirely and require clients to use the HTTP S3 API, which correctly enforces IAM policies
  • Restrict network reachability of the FTP port to trusted management networks using host or network firewalls
  • Remove FTP credentials for users who do not require FTP access until the upgrade is applied
bash
# Example: block external access to the RustFS FTP listener until patched
iptables -A INPUT -p tcp --dport 21 -s 0.0.0.0/0 -j DROP
iptables -A INPUT -p tcp --dport 21 -s 10.0.0.0/8 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.