CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55188

highCVSS 8.2covered by 1 sourcefirst seen 2026-06-26
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.

⚡ Watch CVE-2026-55188

Get an email if CVE-2026-55188 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-55188

CVE.org record

Embed the live status

CVE-2026-55188 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55188 status](https://www.csirts.com/badge/CVE-2026-55188)](https://www.csirts.com/cve/CVE-2026-55188)