CVE-2026-55188
Deferred Deferred - Pending Action
Authorization Bypass in RustFS Bucket Replication API

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-55188
EUVD
EUVD-2026-39866
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rustfs rustfs From 1.0.0-alpha.1 (inc) to 1.0.0-beta.9 (inc)
rustfs rustfs From 1.0.0-alpha.1 (inc) to 1.0.0-beta.9 (exc)
rustfs rustfs 1.0.0-beta.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55188 is an authorization bypass vulnerability in RustFS, a distributed object storage system written in Rust. The issue exists in the ListRemoteTargetHandler of the bucket replication admin API, which only checks if request credentials exist but does not verify if the user has proper replication or administrator permissions.

As a result, an authenticated user without effective bucket or admin permissions can list remote replication target configurations for a bucket. These configurations include sensitive information such as remote target access keys, secret keys, and session tokens.

This means that unauthorized users can obtain credentials that should be protected, potentially allowing them to access or manipulate replicated data.

Impact Analysis

This vulnerability can have serious impacts because it allows unauthorized users to obtain sensitive replication credentials.

  • Attackers can read, write, tamper with, or delete replicated data by using the exposed credentials.
  • It may enable lateral movement to other storage endpoints, increasing the scope of compromise.
  • The exposure of access keys and secret keys can lead to further unauthorized access and data breaches.
Detection Guidance

This vulnerability can be detected by checking if unauthorized users can access the vulnerable endpoint that lists remote replication targets without proper authorization.

Specifically, the vulnerable endpoint is `/rustfs/admin/v3/list-remote-targets`.

To detect exploitation attempts or verify if the vulnerability exists, you can monitor or test access to this endpoint using authenticated requests from users who should not have replication or admin permissions.

  • Use a command-line tool like curl to send an authenticated request to the endpoint and observe if remote replication target credentials are returned.
  • Example command: `curl -i -H "Authorization: Bearer <token>" https://<rustfs-server>/rustfs/admin/v3/list-remote-targets`
  • If the response includes `BucketTarget` objects with access keys or secret keys, the system is vulnerable.

Additionally, network monitoring tools can be configured to alert on requests to this endpoint from users without proper permissions.

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-beta.9 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the vulnerable endpoint `/rustfs/admin/v3/list-remote-targets` to only trusted administrators.

Implement network-level access controls or firewall rules to limit which users or systems can reach this endpoint.

Review and audit user permissions to ensure that only authorized users have access to replication or admin functions.

Monitor logs for any unauthorized access attempts to the vulnerable API endpoint.

Compliance Impact

This vulnerability in RustFS allows unauthorized disclosure of sensitive credentials such as access keys and secret keys through an authorization bypass in the bucket replication admin API.

Exposure of such sensitive information can lead to unauthorized access to replicated data, potentially resulting in data breaches or tampering.

Such breaches of confidentiality and unauthorized access to sensitive data could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart