Compliance Impact

The vulnerability allows any authenticated IAM user, even those with restricted policies, to access server-wide operational metrics without proper admin authorization. While this exposure does not include user data or access keys, it reveals critical operational insights such as disk I/O statistics, network throughput, and system performance details.

Because the leaked information does not include personal or sensitive user data, the direct impact on compliance with data protection regulations like GDPR or HIPAA is limited. However, the unauthorized disclosure of infrastructure and operational metrics could aid attackers in reconnaissance, potentially increasing the risk of further attacks that might compromise regulated data.

Therefore, this vulnerability represents a failure in enforcing proper authorization controls (CWE-862), which could be viewed as a compliance risk under standards requiring strict access controls and protection of system information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-55838 is a vulnerability in RustFS, a distributed object storage system built in Rust. The issue is that the real-time metrics endpoint at /rustfs/admin/v3/metrics does not enforce proper admin authorization checks. While other admin endpoints require validation of admin privileges, this metrics endpoint only checks for the presence of credentials but does not verify if the user has admin rights.

As a result, any authenticated IAM user, even those with restricted policies granting access only to their own bucket, can access server-wide operational metrics. These metrics include disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.

This vulnerability is classified as a missing authorization check (CWE-862) and has a CVSS v3.1 base score of 4.3, indicating medium severity.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows restricted IAM users to access detailed operational metrics of the RustFS server that they should not normally see. Although it does not expose user data or access keys, the leaked information can provide attackers with critical insights into the storage system's topology, load patterns, and performance.

Such information could be used for reconnaissance purposes, helping an attacker to better understand the infrastructure and potentially plan further attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the `/rustfs/admin/v3/metrics` endpoint with a valid IAM user account that has restricted permissions (e.g., access only to a single bucket). If the endpoint returns server-wide operational metrics without requiring admin privileges, the system is vulnerable.

A practical detection method is to send an HTTP GET request to the metrics endpoint using a restricted IAM user's credentials and observe the response.

• Use curl or similar HTTP client tools to test access, for example:
• curl -u <restricted_user>:<password> https://<rustfs_server>/rustfs/admin/v3/metrics
• If the response status is 200 and contains detailed server metrics (disk I/O, network throughput, etc.), the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Since no patched versions are available at the time of disclosure, immediate mitigation involves restricting access to the `/rustfs/admin/v3/metrics` endpoint to only fully authorized admin users.

Possible mitigation steps include:

• Implement network-level access controls (e.g., firewall rules) to limit access to the metrics endpoint.
• Use reverse proxies or API gateways to enforce stricter authentication and authorization checks on the metrics endpoint.
• Monitor and audit access logs for any unauthorized attempts to access the metrics endpoint.
• Plan to update RustFS to a patched version once it becomes available.

Useful 0 Not Useful 0