CVE Catalog

CVE-2026-55838

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

In RustFS version 1.0.0-beta.7 and earlier, the real-time metrics endpoint /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. The validate_admin_request call is missing, allowing restricted users to read sensitive cluster-wide operational data.

Risk Assessment

Unauthorized access to system metrics may expose performance and cluster state information, facilitating denial-of-service attacks or further intrusion planning.

Recommendation

Immediately upgrade RustFS to a version later than 1.0.0-beta.7 or apply temporary firewall/access restrictions to the /rustfs/admin/v3/metrics endpoint for unauthorized users.

Original NVD description (English source)

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enforce admin-action IAM checks; the MetricsHandler skips this call entirely. A restricted IAM user whose policy grants only access to their own bucket can read server-wide operational metrics including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS