CVE-2026-47136
Deferred Deferred - Pending Action
Unauthenticated License Metadata Exposure in RustFS

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-47136
EUVD
EUVD-2026-32993
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rustfs rustfs to 1.0.0-beta.2 (exc)
rustfs rustfs 1.0.0-beta.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-47136 vulnerability in RustFS versions 1.0.0-beta.1 and earlier involves an unauthenticated endpoint that exposes license metadata.

Specifically, the GET /rustfs/console/license endpoint returns parsed license information, including the license subject and expiration timestamp, without requiring any authentication.

This means that any client who can reach the console listener can retrieve sensitive license details without credentials.

The root cause is missing authentication for this critical function, leading to exposure of sensitive data.

Compliance Impact

The vulnerability exposes license metadata without authentication, potentially disclosing organizational or customer identity and license timing information to any client with access to the console listener.

Such unauthorized exposure of sensitive information could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and control over access.

However, the exposed data is limited to license metadata rather than personal health information or broader personal data, and the severity is rated as low.

Operators are advised to restrict network access to the console listener until the vulnerability is patched, which helps mitigate compliance risks.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive license information such as the license subject and expiration timestamp.

Such information could reveal organizational or customer identity and license timing details.

While the severity is rated as low, this exposure could potentially aid attackers in gathering intelligence about the target environment.

Until patched, operators are advised to restrict network access to the console listener to mitigate this risk.

Detection Guidance

This vulnerability can be detected by attempting to access the unauthenticated endpoint GET /rustfs/console/license on the RustFS console listener. If the endpoint returns parsed license metadata without requiring authentication, the system is vulnerable.

A simple command to test this is using curl to send a GET request to the endpoint, for example:

  • curl http://<console_listener_address>/rustfs/console/license

If the response contains JSON with license subject and expiration timestamp without any authentication prompt, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting network access to the RustFS console listener to trusted clients only, preventing unauthorized users from reaching the vulnerable endpoint.

Additionally, upgrading RustFS to version 1.0.0-beta.2 or later will fix the vulnerability by requiring admin authentication for the endpoint or limiting the response to non-sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart