CVE-2026-55838 in RustFS
Summary
by MITRE • 06/26/2026
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enforce admin-action IAM checks; the MetricsHandler skips this call entirely. A restricted IAM user whose policy grants only access to their own bucket can read server-wide operational metrics including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability exists within RustFS version 1.0.0-beta.7 and earlier, where the real-time metrics endpoint at /rustfs/admin/v3/metrics lacks proper access control enforcement despite other administrative handlers implementing robust IAM validation. This represents a critical security flaw that violates fundamental principles of least privilege and role-based access control. The MetricsHandler function fails to invoke the validate_admin_request function that serves as the primary gatekeeper for administrative operations throughout the codebase, creating an unintended access vector that bypasses all policy restrictions imposed on users.
This vulnerability falls under CWE-284 Access Control Bypass, specifically manifesting as improper access control where a user with limited permissions can access administrative resources they should not be authorized to view. The flaw enables a restricted IAM user who has been granted access only to their own bucket to obtain comprehensive server-wide operational metrics including disk I/O statistics, network throughput measurements, scanner cycle timing data, and cluster RPC state information. These metrics represent sensitive operational data that could provide attackers with valuable insights into the system's performance characteristics, resource utilization patterns, and internal architecture.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a potential reconnaissance opportunity for adversaries seeking to understand the system's behavior before launching more sophisticated attacks. The collected metrics could reveal system bottlenecks, resource consumption patterns, and operational timing that could be exploited to craft targeted denial-of-service attacks or identify optimal attack windows. From an attacker perspective following MITRE ATT&CK framework, this vulnerability maps to T1082 System Information Discovery and T1592 Asset Discovery, as it enables unauthorized enumeration of system resources and operational characteristics.
The security implications are particularly concerning given that the metrics endpoint exposes granular details about the storage system's performance and resource utilization. Disk I/O statistics could reveal the storage architecture and performance characteristics of different storage tiers, while network throughput data might indicate bandwidth usage patterns and potential bottlenecks in the distributed system. Scanner cycle timing information provides insight into maintenance schedules and operational cadence, which could be leveraged to time attacks or exploit system vulnerabilities during specific operational windows.
Mitigation strategies should focus on implementing proper access control enforcement for all administrative endpoints by ensuring that the MetricsHandler function invokes validate_admin_request before processing any requests. The fix must align with security best practices for distributed systems and should include comprehensive logging of all access attempts to the metrics endpoint to enable detection of unauthorized access patterns. Additionally, organizations should implement network segmentation controls to limit access to administrative endpoints to trusted management networks only, while maintaining strict audit trails of all administrative activities across the system.