CVE-2026-49991
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In RustFS 1.0.0-beta.4, authenticated users with PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: no ../ sanitization in tar entry key normalization, IAM wildcard matching using raw (uncleaned) paths, and filesystem path cleaning resolving ../ across bucket boundaries.
Risk Assessment
The organization faces a breach of data isolation between users, potentially leading to unauthorized data access, modification, or theft, as well as non-compliance with data protection regulations.
Recommendation
Immediately upgrade RustFS to version 1.0.0-beta.5 or later, which includes a fix for the vulnerability. If an upgrade is not possible, disable the Snowball auto-extract feature.
Original NVD description (English source)
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.

