CVE-2026-45044 rustfs CVE debrief

Who should care

Organizations running RustFS distributed object storage systems prior to version 1.0.0-beta.2, particularly those with externally exposed administrative interfaces or deployments on glibc-based systems where the CPU profiling functionality is supported.

Technical summary

The RustFS admin router contains an explicit authentication whitelist for `/profile/cpu` and `/profile/memory` endpoints, permitting unauthenticated access to CPU and memory profiling handlers. The CPU profiling handler invokes `dump_cpu_pprof_for(Duration::from_secs(60))` on supported builds, creating a 60-second profiling window per request that can be exploited for resource exhaustion. The handler also leaks the server's absolute filesystem path in response bodies. The vulnerability is resolved in RustFS 1.0.0-beta.2.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade RustFS to version 1.0.0-beta.2 or later to remediate the authentication bypass and information disclosure vulnerabilities
• Implement network-level access controls to restrict administrative endpoint exposure to trusted sources only
• Monitor for anomalous CPU utilization patterns that may indicate exploitation attempts against profiling endpoints
• Review application logs for unauthorized access attempts to `/profile/cpu` or `/profile/memory` endpoints
• Assess whether absolute filesystem paths disclosed in profiling responses expose sensitive deployment information

Evidence notes

Vulnerability description confirms authentication bypass for profiling endpoints, fixed 60-second CPU profiling duration, and information disclosure of absolute filesystem paths. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high availability impact.

Official resources