CVE-2026-55189
Deferred Deferred - Pending Action
FTP Authentication Bypass in RustFS Storage System

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener β€” including a user whose IAM policy contains an explicit Deny on s3:GetObject β€” can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-55189
EUVD
EUVD-2026-39864
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rustfs rustfs From 1.0.0-alpha.1 (inc) to 1.0.0-beta.8 (inc)
rustfs rustfs 1.0.0-beta.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55189 is a vulnerability in the RustFS distributed object storage system's FTP frontend. Specifically, from versions 1.0.0-alpha.1 up to 1.0.0-beta.8, when the FTP frontend is enabled, the FTP read and probe handlers bypass the IAM authorization checks that are normally enforced for other operations like write and list, as well as the HTTP S3 API.

This means that any user who can authenticate to the FTP listener can read (using RETR) and retrieve metadata (using SIZE or MDTM commands) from any object in any bucket, regardless of their IAM policy, even if their policy explicitly denies such access.

The root cause is that the FTP read and probe handlers directly dispatch to the storage backend without calling the IAM authorization function, unlike other handlers that correctly enforce authorization.

This vulnerability is fixed starting from RustFS version 1.0.0-beta.9.

Compliance Impact

This vulnerability results in a complete loss of object confidentiality in multi-tenant deployments, as any authenticated user can read all objects regardless of their IAM permissions.

Such unauthorized data access can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and confidentiality of sensitive information.

Because the FTP read and probe handlers bypass IAM authorization checks, organizations using affected RustFS versions with the FTP frontend enabled may fail to meet compliance requirements related to data confidentiality and access control.

Impact Analysis

This vulnerability can lead to a complete loss of confidentiality of stored objects in RustFS deployments that enable the FTP frontend.

Any authenticated user, even those with explicit Deny policies on reading objects, can access and read any object or its metadata in any bucket.

In multi-tenant environments, this means unauthorized users can access sensitive data they should not have permission to see, potentially leading to data breaches.

The vulnerability does not affect availability or integrity, but the confidentiality impact is rated high.

Detection Guidance

This vulnerability can be detected by testing whether FTP read and probe commands bypass IAM authorization checks on your RustFS deployment when the FTP frontend is enabled.

  • Attempt to authenticate to the FTP listener with a user account that has an explicit Deny on s3:GetObject.
  • Use FTP commands such as RETR (to read an object), SIZE or MDTM (to retrieve metadata), and CWD (to probe buckets) to check if these operations succeed despite the Deny policy.

If these commands succeed and allow access to objects or metadata that should be denied, it indicates the vulnerability is present.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade RustFS to version 1.0.0-beta.9 or later, where the FTP read handlers correctly enforce IAM authorization.

If upgrading is not immediately possible, consider disabling the FTP frontend (both plain FTP and FTPS) to prevent unauthorized read access via FTP.

Note that SFTP is not affected by this vulnerability and continues to enforce authorization checks properly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart