Authorization Bypass in RustFS Distributed Object Storage System by Rust
CVE-2026-55188

8.2HIGH

Key Information:

Vendor: Rustfs
Status: Rustfs
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-55188?

RustFS, a distributed object storage system built in Rust, contains an authorization bypass vulnerability in its bucket replication admin API from versions 1.0.0-alpha.1 to 1.0.0-beta.9. The issue arises in the ListRemoteTargetHandler, which inadequately checks permissions for users. As a result, authenticated users lacking proper bucket or admin permissions can list remote replication targets, potentially exposing critical replication access keys and secret keys. This vulnerability has been rectified in version 1.0.0-beta.9.

Affected Version(s)

rustfs >= 1.0.0-alpha.1, <= 1.0.0-beta.8

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55188 Data

JSON

Rustfs

What is CVE-2026-55188?

Affected Version(s)

References

CVSS V3.1

Timeline