PatchSiren cyber security CVE debrief
CVE-2026-49991 rustfs CVE debrief
CVE-2026-49991 is a high-severity vulnerability in RustFS, a distributed object storage system built in Rust. In version 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature. This allows them to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability is caused by three flaws: lack of ../ sanitization in tar entry key normalization, IAM wildcard matching using raw paths, and filesystem path cleaning resolving ../ across bucket boundaries. The CVSS score for this vulnerability is 8.6, indicating a high severity. This vulnerability was published on June 26, 2026, and last modified on June 29, 2026.
- Vendor
- rustfs
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-06-29
Who should care
Users of RustFS version 1.0.0-beta.4 should be aware of this vulnerability and take immediate action to mitigate it. Specifically, administrators of RustFS instances and users with PutObject permission on their own buckets should review their access controls and ensure that they are not exposed to unauthorized access. Additionally, users who rely on multi-tenant isolation in RustFS should verify that their instances are not vulnerable to this exploit.
Technical summary
The vulnerability in RustFS arises from three key flaws. First, the system does not properly sanitize ../ in tar entry key normalization, allowing for path traversal. Second, IAM wildcard matching uses raw, uncleaned paths, which can lead to unauthorized access. Third, filesystem path cleaning does not correctly resolve ../ across bucket boundaries, enabling attackers to write to arbitrary locations. An attacker with PutObject permission on their own bucket can exploit these flaws to write arbitrary objects into other users' buckets, bypassing multi-tenant isolation. The vulnerability has a CVSS score of 8.6, indicating high severity.
Defensive priority
Given the high severity and potential impact of this vulnerability, defenders should prioritize patching or mitigating this issue immediately. Specifically, administrators should ensure that RustFS instances are updated to a version that fixes this vulnerability, restrict access controls to prevent exploitation, and monitor for suspicious activity that could indicate an ongoing or past exploit.
Recommended defensive actions
- Update RustFS to a version that fixes the path traversal vulnerability.
- Restrict PutObject permission to only trusted users and buckets.
- Monitor RustFS instances for suspicious activity indicating potential exploitation.
- Review and adjust access controls to ensure multi-tenant isolation.
- Implement additional monitoring to detect any unauthorized access or modifications.
Evidence notes
The evidence for this vulnerability comes from the CVE record and the NVD detail page. The CVE record provides an overview of the vulnerability, including its description, CVSS score, and publication date. The NVD detail page offers additional information on the vulnerability, including its CVSS vector and weaknesses. A source item URL provides access to the NVD's REST API for CVE details. A GitHub security advisory provides additional context on the vulnerability and its fix.
Official resources
-
CVE-2026-49991 CVE record
CVE.org
-
CVE-2026-49991 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.