Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55838

CVE-2026-55838: RustFS Information Disclosure Flaw

CVE-2026-55838 is an information disclosure vulnerability in RustFS that allows restricted IAM users to access server-wide operational metrics. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-55838 Overview

CVE-2026-55838 is a missing authorization vulnerability [CWE-862] in RustFS, a distributed object storage system written in Rust. In version 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any authenticated Identity and Access Management (IAM) user regardless of policy scope. The MetricsHandler fails to invoke validate_admin_request, which every other admin handler uses to enforce admin-action IAM checks. A restricted IAM user with access limited to a single bucket can retrieve server-wide operational metrics, including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.

Critical Impact

Any low-privileged IAM user can read cluster-wide operational telemetry, exposing infrastructure details that assist reconnaissance and capacity-based attacks.

Affected Products

  • RustFS distributed object storage
  • Versions 1.0.0-beta.7 and earlier
  • Deployments exposing the admin API to authenticated tenants

Discovery Timeline

  • 2026-06-26 - CVE-2026-55838 published to the National Vulnerability Database (NVD)
  • 2026-06-27 - Last updated in NVD database

Technical Details for CVE-2026-55838

Vulnerability Analysis

RustFS exposes an administrative API under /rustfs/admin/v3/. Each handler in this namespace is expected to call validate_admin_request before returning data. This function checks whether the caller's IAM policy authorizes the specific admin action being requested.

The MetricsHandler, which serves the /rustfs/admin/v3/metrics endpoint, does not invoke this validation. The handler treats any authenticated request as authorized. As a result, an IAM user whose policy only grants access to a single bucket receives the same metrics response as a cluster administrator.

The exposed telemetry includes disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state. Attackers can use this data to infer cluster topology, identify low-utilization periods, and plan denial-of-service or timing-based attacks against tenants sharing the cluster.

Root Cause

The root cause is a missing authorization check [CWE-862]. The MetricsHandler bypasses the shared admin authorization pipeline used by peer handlers. Authentication is required, but no policy evaluation occurs against the requested action.

Attack Vector

Exploitation requires network access to the RustFS admin API and valid IAM credentials with any policy attached. The attacker sends an authenticated HTTP GET request to /rustfs/admin/v3/metrics and receives the full metrics payload. No privilege escalation on the underlying host is required, and no user interaction is involved.

The vulnerability mechanism is described in the GitHub Security Advisory GHSA-f5cv-v44x-2xgf. No verified public exploit code is available at this time.

Detection Methods for CVE-2026-55838

Indicators of Compromise

  • HTTP GET requests to /rustfs/admin/v3/metrics originating from IAM principals that do not hold administrative policies.
  • Repeated metrics polling from a single low-privilege access key over short intervals.
  • Access log entries showing successful 200 OK responses to /rustfs/admin/v3/metrics from unexpected source IP ranges.

Detection Strategies

  • Correlate RustFS access logs with IAM policy assignments to identify non-admin principals reaching admin endpoints.
  • Alert when the metrics endpoint returns successfully for credentials that are not on an approved administrator list.
  • Baseline normal metrics endpoint consumers (monitoring agents) and flag deviations.

Monitoring Recommendations

  • Forward RustFS admin API access logs to a centralized SIEM for retention and correlation.
  • Track request rates against /rustfs/admin/v3/* per access key to surface reconnaissance behavior.
  • Monitor for credential reuse across bucket-scoped and admin-scoped operations from the same principal.

How to Mitigate CVE-2026-55838

Immediate Actions Required

  • Upgrade RustFS to a release later than 1.0.0-beta.7 that adds validate_admin_request to the MetricsHandler.
  • Restrict network access to the RustFS admin API to trusted management subnets and monitoring hosts.
  • Rotate IAM access keys held by untrusted tenants if the metrics endpoint was reachable by them.

Patch Information

Refer to the RustFS GitHub Security Advisory GHSA-f5cv-v44x-2xgf for the fixed version and remediation details. The fix aligns MetricsHandler with other admin handlers by enforcing IAM policy evaluation before returning metrics.

Workarounds

  • Block /rustfs/admin/v3/metrics at an upstream reverse proxy for all non-administrator source addresses.
  • Segment the admin API onto a dedicated listener that is not exposed to tenant traffic.
  • Issue IAM credentials only to trusted principals until the patched version is deployed.
bash
# Example nginx rule restricting the metrics endpoint to a management CIDR
location /rustfs/admin/v3/metrics {
    allow 10.20.0.0/24;
    deny all;
    proxy_pass http://rustfs_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.