CVE-2026-59092
Received Received - Intake

Authentication Bypass in JuiceFS Debug Endpoints

Vulnerability report for CVE-2026-59092, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the /debug/pprof/cmdline endpoint to obtain the process command line containing metadata engine connection strings with database credentials, granting full read/write access to filesystem metadata, while other pprof handlers leak internal state and profiling handlers enable denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
juicefs juicefs to 1.3.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-489 The product is released with debugging code still enabled or active.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59092 is an authentication bypass vulnerability in JuiceFS versions up to 1.3.1. It occurs because the WebDAV server and other components register their HTTP handlers on Go's shared default HTTP multiplexer (http.DefaultServeMux), which unintentionally exposes sensitive debug and metrics endpoints without requiring authentication.

Attackers can exploit this by accessing endpoints such as /debug/pprof/cmdline to retrieve the process command line, which may contain metadata engine connection strings including database credentials. This grants attackers full read/write access to filesystem metadata. Other exposed pprof endpoints leak internal runtime state and profiling handlers can be abused to cause denial-of-service by consuming CPU and runtime resources.

Impact Analysis

This vulnerability can have several serious impacts:

  • Unauthenticated attackers can gain access to sensitive debug endpoints that reveal internal process information, including database credentials.
  • Attackers can obtain full read and write access to filesystem metadata by exploiting leaked metadata engine connection strings.
  • Exposure of internal runtime state and stack traces can aid attackers in further exploitation or reconnaissance.
  • Profiling endpoints can be abused to launch denial-of-service attacks by consuming excessive CPU and runtime resources.
  • The vulnerability is not mitigated by setting WebDAV user credentials and is often exposed on network-facing interfaces due to default configuration recommendations.
Detection Guidance

This vulnerability can be detected by checking if the sensitive debug and metrics endpoints such as /debug/pprof/cmdline and /metrics are accessible without authentication on your JuiceFS WebDAV server.

You can use network tools like curl or wget to test access to these endpoints from your network or system.

  • curl http://<juicefs-server>:<port>/debug/pprof/cmdline
  • curl http://<juicefs-server>:<port>/metrics

If these commands return data without requiring authentication, it indicates the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves preventing exposure of the default http.DefaultServeMux which registers the sensitive /debug/pprof and /metrics endpoints.

Specifically, you should update JuiceFS to a version that includes the fix (commit a46979c or later) which uses dedicated http.ServeMux instances for WebDAV and metrics handlers instead of the default mux.

Additionally, ensure that the WebDAV server and metrics endpoints are not bound to 0.0.0.0 or any publicly accessible interface. Bind them to localhost or restrict access via firewall rules.

  • Upgrade JuiceFS to a fixed version containing commit a46979c.
  • Configure the server to bind metrics and debug endpoints to 127.0.0.1 only.
  • Use firewall or network policies to restrict access to these endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart