CVE-2026-47136
Unauthenticated License Metadata Exposure in RustFS
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | to 1.0.0-beta.2 (exc) |
| rustfs | rustfs | 1.0.0-beta.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes license metadata without authentication, potentially disclosing organizational or customer identity and license timing information to any client with access to the console listener.
Such unauthorized exposure of sensitive information could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and control over access.
However, the exposed data is limited to license metadata rather than personal health information or broader personal data, and the severity is rated as low.
Operators are advised to restrict network access to the console listener until the vulnerability is patched, which helps mitigate compliance risks.
Can you explain this vulnerability to me?
The CVE-2026-47136 vulnerability in RustFS versions 1.0.0-beta.1 and earlier involves an unauthenticated endpoint that exposes license metadata.
Specifically, the GET /rustfs/console/license endpoint returns parsed license information, including the license subject and expiration timestamp, without requiring any authentication.
This means that any client who can reach the console listener can retrieve sensitive license details without credentials.
The root cause is missing authentication for this critical function, leading to exposure of sensitive data.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive license information such as the license subject and expiration timestamp.
Such information could reveal organizational or customer identity and license timing details.
While the severity is rated as low, this exposure could potentially aid attackers in gathering intelligence about the target environment.
Until patched, operators are advised to restrict network access to the console listener to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the unauthenticated endpoint GET /rustfs/console/license on the RustFS console listener. If the endpoint returns parsed license metadata without requiring authentication, the system is vulnerable.
A simple command to test this is using curl to send a GET request to the endpoint, for example:
- curl http://<console_listener_address>/rustfs/console/license
If the response contains JSON with license subject and expiration timestamp without any authentication prompt, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the RustFS console listener to trusted clients only, preventing unauthorized users from reaching the vulnerable endpoint.
Additionally, upgrading RustFS to version 1.0.0-beta.2 or later will fix the vulnerability by requiring admin authentication for the endpoint or limiting the response to non-sensitive information.