CVE Catalog

CVE-2026-49991

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

In RustFS 1.0.0-beta.4, authenticated users with PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: no ../ sanitization in tar entry key normalization, IAM wildcard matching using raw (uncleaned) paths, and filesystem path cleaning resolving ../ across bucket boundaries.

Risk Assessment

The organization faces a breach of data isolation between users, potentially leading to unauthorized data access, modification, or theft, as well as non-compliance with data protection regulations.

Recommendation

Immediately upgrade RustFS to version 1.0.0-beta.5 or later, which includes a fix for the vulnerability. If an upgrade is not possible, disable the Snowball auto-extract feature.

Original NVD description (English source)

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS