RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
Title RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection
Weaknesses CWE-22
CWE-862
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T20:01:29.896Z

Updated: 2026-06-29T13:15:10.741Z

Reserved: 2026-06-02T18:30:51.283Z

Link: CVE-2026-49991

cve-icon Vulnrichment

Updated: 2026-06-29T13:14:32.467Z

cve-icon NVD

No data.

cve-icon Redhat

No data.