Authentication Bypass in JuiceFS by JuiceData
CVE-2026-59092

7HIGH

Key Information:

Vendor

Juicedata

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-59092?

JuiceFS versions prior to 1.3.1 are susceptible to an authentication bypass, enabling unauthenticated remote attackers to gain access to sensitive debug and metrics endpoints. This vulnerability stems from improper handler registration on the shared http.DefaultServeMux, allowing attackers to query the /debug/pprof/cmdline endpoint. Consequently, they can retrieve the process command line containing critical metadata engine connection strings, including database credentials. This unauthorized access allows full read/write capabilities to filesystem metadata, while additional profiling endpoints may leak internal state and enable denial of service attacks.

Affected Version(s)

juicefs 0 <= 1.3.1

juicefs a46979cdd4082217081ee99b931ddc53d038e47a

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.