Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-49991— RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection

CVSS 8.6 · High EPSS 0.27% · P19

Affected Version Matrix 1

VendorProductVersion RangeStatus
rustfsrustfs1.0.0-beta.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-49991

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
RustFS 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
rustfs是RustFS组织开源的一个高性能对象存储系统。 RustFS 1.0.0-beta.4版本存在路径遍历漏洞,该漏洞源于Snowball自动提取功能中存在路径遍历问题,涉及tar条目键规范化中缺乏../清理、IAM通配符匹配使用原始路径以及文件系统路径清理跨存储桶边界解析../,可能导致已认证用户将任意对象写入其他用户的存储桶。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
rustfsrustfs 1.0.0-beta.4 -

II. Public POCs for CVE-2026-49991

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9539 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-49991

登录查看更多情报信息。

Vendor Advisories for CVE-2026-49991 (1)

Same Patch Batch · rustfs · 2026-06-26 · 4 CVEs total

CVE-2026-551888.2 HIGHRustFS: ListRemoteTargetHandler authorization bypass leaks replication target credentials
CVE-2026-551897.7 HIGHRustFS: FTP frontend skips IAM authorization on object reads
CVE-2026-558384.3 MEDIUMRustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated u

IV. Related Vulnerabilities

V. Comments for CVE-2026-49991

No comments yet


Leave a comment