CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59092

highCVSS 7.7covered by 1 sourcefirst seen 2026-07-02
JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the /debug/pprof/cmdline endpoint to obtain the process command line containing metadata engine connection strings with database credentials, granting full read/write access to filesystem metadata, while other pprof handlers leak internal state and profiling handlers enable denial of service.

⚡ Watch CVE-2026-59092

Get an email if CVE-2026-59092 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-59092

CVE.org record

Embed the live status

CVE-2026-59092 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59092 status](https://www.csirts.com/badge/CVE-2026-59092)](https://www.csirts.com/cve/CVE-2026-59092)