{"id":"CVE-2026-55189","summary":"RustFS: FTP frontend skips IAM authorization on object reads","details":"RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.","aliases":["GHSA-3g29-xff2-92vp"],"modified":"2026-07-15T01:48:55.167435797Z","published":"2026-06-26T19:59:13.870Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-862","CWE-863"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55189.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55189.json"},{"type":"ADVISORY","url":"https://github.com/rustfs/rustfs/security/advisories/GHSA-3g29-xff2-92vp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55189"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rustfs/rustfs","events":[{"introduced":"6a5fbe7ef112c77cc285dcdacfffbee28a76e4a9"},{"last_affected":"03eb10b07f5f968c531151ae667dfe218050493d"}],"database_specific":{"extracted_events":[{"introduced":"1.0.0-alpha.1"},{"last_affected":"1.0.0-beta.8"}],"source":"AFFECTED_FIELD"}}],"versions":["1.0.0-beta.8","1.0.0-beta.7","1.0.0-beta.6","1.0.0-beta.5","1.0.0-beta.4","1.0.0-beta.3","1.0.0-beta.2","v1.0.0-beta.1","1.0.0-beta.1","1.0.0-alpha.99","1.0.0-alpha.98","1.0.0-alpha.97","1.0.0-alpha.96","1.0.0-alpha.95","1.0.0-alpha.94","1.0.0-alpha.93","1.0.0-alpha.92","1.0.0-alpha.91","1.0.0-alpha.90","1.0.0-alpha.89","1.0.0-alpha.88","1.0.0-alpha.87","1.0.0-alpha.86","1.0.0-alpha.85","1.0.0-alpha.84","1.0.0-alpha.83","1.0.0-alpha.82","1.0.0-alpha.81","1.0.0-alpha.80","1.0.0-alpha.79","1.0.0-alpha.78","1.0.0-alpha.77","1.0.0-alpha.76","1.0.0-alpha.75","1.0.0-alpha.74","1.0.0-alpha.73","1.0.0-alpha.72","1.0.0-alpha.71","1.0.0-alpha.70","1.0.0-alpha.69","1.0.0-alpha.68","1.0.0-alpha.67","1.0.0-alpha.66","1.0.0-alpha.65","1.0.0-alpha.64","1.0.0-alpha.63","1.0.0-alpha.62","1.0.0-alpha.61","1.0.0-alpha.60","1.0.0-alpha.59","1.0.0-alpha.58","1.0.0-alpha.57","1.0.0-alpha.56","1.0.0-alpha.55","1.0.0-alpha.54","1.0.0-alpha.53","1.0.0-alpha.52","1.0.0-alpha.51","1.0.0-alpha.50","1.0.0-alpha.49","1.0.0-alpha.48","1.0.0-alpha.47","1.0.0-alpha.46","1.0.0-alpha.45","1.0.0-alpha.44","1.0.0-alpha.43","1.0.0-alpha.42","1.0.0-alpha.41","1.0.0-alpha.40","1.0.0-alpha.39","1.0.0-alpha.38","1.0.0-alpha.37","1.0.0-alpha.36","1.0.0-alpha.35","1.0.0-alpha.34","1.0.0-alpha.33","1.0.0-alpha.32","1.0.0-alpha.31","1.0.0-alpha.30","1.0.0-alpha.29","1.0.0-alpha.28","1.0.0-alpha.27","1.0.0-alpha.26","1.0.0-alpha.25","1.0.0-alpha.24","1.0.0-alpha.23","1.0.0-alpha.22","1.0.0-alpha.21","1.0.0-alpha.20","1.0.0-alpha.19","1.0.0-alpha.18","1.0.0-alpha.17","1.0.0-alpha.16","1.0.0-alpha.15","1.0.0-alpha.14","1.0.0-alpha.13","1.0.0-alpha.12","1.0.0-alpha.11","1.0.0-alpha.10","1.0.0-alpha.9","1.0.0-alpha.8","1.0.0-alpha.7","1.0.0-alpha.6","1.0.0-alpha.5","1.0.0-alpha.4","1.0.0-alpha.3","1.0.0-alpha.2","1.0.0-alpha.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55189.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}]}