VYPR
← All advisories
Medium severityNVD Advisory· Published May 28, 2026

CVE-2026-47136

CVE-2026-47136

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated endpoint in RustFS console exposes license metadata such as subject and expiration timestamp.

Vulnerability

RustFS before 1.0.0-beta.2 exposes an unauthenticated GET endpoint /rustfs/console/license on the console listener that returns parsed license metadata in JSON format. The route is registered in rustfs/src/admin/console.rs and the handler license_handler calls get_license() and returns the result without any authentication check. Affected versions: <=1.0.0-beta.1. [1]

Exploitation

An attacker with network access to the console listener (e.g., default port 9001) can simply send a GET request to /rustfs/console/license without any authentication or user interaction. The response includes license metadata such as the license subject and expiration timestamp. [1]

Impact

Successful exploitation allows an unauthenticated attacker to read license metadata, including the license subject and expiration timestamp. This leaks sensitive configuration information and may indicate whether a license is configured or expired. The exposure is limited to informational disclosure; no write or privilege escalation is described. [1]

Mitigation

The issue is fixed in version 1.0.0-beta.2. Users should upgrade to at least that version. No workarounds are mentioned; as a best practice, ensure the console listener is not exposed to untrusted networks. [1]

References
  1. Unauthenticated RustFS console license endpoint exposes license metadata

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Rustfs/Rustfsinferred2 versions
    <1.0.0-beta.2+ 1 more
    • (no CPE)range: <1.0.0-beta.2
    • (no CPE)range: <1.0.0-beta.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authentication check on the GET /rustfs/console/license endpoint allows unauthenticated access to license metadata."

Attack vector

An attacker sends an HTTP GET request to /rustfs/console/license on the RustFS console listener (default port 9001). The endpoint returns JSON containing the license subject and expiration timestamp without requiring any credentials [ref_id=1]. Any client that can reach the console listener can query this endpoint, making it exploitable from both local network positions and, if the console is exposed, from the internet [CWE-306].

Affected code

The vulnerability is in rustfs/src/admin/console.rs, where the route GET /rustfs/console/license is registered and the license_handler() function returns parsed license metadata without authentication [ref_id=1]. The handler calls get_license() from rustfs/src/license.rs to retrieve the license token metadata [ref_id=1].

What the fix does

The advisory recommends requiring admin authentication for GET /rustfs/console/license, matching the intended protection level for management/console data [ref_id=1]. If the frontend needs a public license-status endpoint, the fix should return only coarse-grained public status (e.g., whether a license is present) without exposing the license subject or expiration timestamp to unauthenticated callers [ref_id=1]. The patch is included in version 1.0.0-beta.2.

Preconditions

  • networkAttacker must be able to reach the RustFS console listener (default port 9001).
  • authNo authentication is required; any client can query the endpoint.

Reproduction

curl -s -i -X GET http://127.0.0.1:9001/rustfs/console/license

The endpoint returns HTTP 200 with JSON containing license metadata such as the subject and expiration timestamp [ref_id=1].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.