Access Control Weakness in RustFS Distributed Object Storage System
CVE-2026-55838

4.3MEDIUM

Key Information:

Vendor: Rustfs
Status: Rustfs
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-55838?

A significant access control vulnerability exists in the RustFS distributed object storage system that allows any valid IAM user to bypass necessary authorization checks and access sensitive operational metrics. Specifically, the metrics endpoint at /rustfs/admin/v3/metrics presents risks as it does not enforce the required admin IAM policy checks, making it possible for restricted IAM users to view server-wide data such as disk I/O statistics and network throughput. This oversight could lead to the unintentional disclosure of sensitive information, highlighting the need for immediate patching and improved access control mechanisms.

Affected Version(s)

rustfs <= 1.0.0-beta.7

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-55838 Data

JSON

Rustfs

What is CVE-2026-55838?

Affected Version(s)

References

CVSS V3.1

Timeline