CVE-2026-55189 in RustFS
Summary
by MITRE • 06/26/2026
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The RustFS distributed object storage system contains a critical authorization bypass vulnerability affecting versions 1.0.0-alpha.1 through 1.0.0-beta.9 when the FTP frontend is enabled. This flaw represents a significant security weakness that undermines the fundamental access control mechanisms designed to protect object storage resources. The vulnerability specifically impacts the FTP read and probe handlers which fail to invoke the IAM authorization function that properly secures write and list operations across the system's HTTP S3 interface.
The technical implementation of this vulnerability stems from an inconsistent authorization pattern within the FTP frontend component where read and probe operations bypass the standard IAM policy enforcement mechanisms. While FTP write and list handlers correctly validate user permissions through IAM policies, the read operations using RETR commands and stat operations using SIZE/MDTM commands directly access the storage backend without any authorization checks. This creates a scenario where authentication alone becomes sufficient to access protected resources regardless of the user's actual permissions. The probe operations including CWD commands also suffer from this flaw, allowing attackers to enumerate bucket structures and potentially identify sensitive information about storage organization.
The operational impact of this vulnerability is substantial as it completely undermines the principle of least privilege that should govern access to object storage systems. An attacker who can authenticate to the FTP listener can bypass all IAM policies, including those explicitly denying s3:GetObject permissions, and gain access to any object within any bucket. This allows for unauthorized data exfiltration, information disclosure, and potential compromise of sensitive storage contents. The vulnerability affects not just individual objects but also enables reconnaissance activities through bucket probing that would normally be restricted by proper authorization controls.
This security flaw aligns with CWE-639 Access Control Bypass, which describes situations where the system fails to properly enforce access control policies for authenticated users. From an adversary perspective, this vulnerability maps to ATT&CK technique T1078 Valid Accounts as attackers can leverage legitimate authentication credentials to gain unauthorized access to protected storage resources. The inconsistency between FTP read operations and other access methods creates a dangerous gap in the security model that could be exploited by both internal and external threat actors.
The fix implemented in version 1.0.0-beta.9 resolves this issue by ensuring consistent IAM authorization enforcement across all FTP handlers including read, probe, and write operations. This update restores proper authorization checks for all FTP frontend interactions, aligning the behavior of FTP read operations with the established security patterns used throughout the system's HTTP S3 interface. Organizations using affected versions should immediately implement the patch to prevent unauthorized access to their storage resources and maintain compliance with security standards requiring proper access control enforcement.