CVE Catalog

CVE-2026-55189

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

In RustFS from version 1.0.0-alpha.1 to 1.0.0-beta.9, when the FTP frontend is enabled, the read and probe handlers (RETR, SIZE, MDTM, CWD) bypass the IAM authorization function, allowing any authenticated FTP user to read and stat any object in any bucket regardless of their IAM policy.

Risk Assessment

The organization is at risk of unauthorized access to all data stored in RustFS by any FTP user, even if their IAM policy explicitly denies s3:GetObject. This could lead to leakage of sensitive information.

Recommendation

Immediately upgrade RustFS to version 1.0.0-beta.9 or later. If an upgrade is not possible, temporarily disable the FTP frontend.

Original NVD description (English source)

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS