CVE-2026-47136 MEDIUM

CVE-2026-47136: RustFS: Unauthenticated RustFS console license endpoint exposes license metadata

Vendor Rustfs
Product rustfs
Weakness CWE-200 · Info exposure
Published May 28, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-47655 Microsoft Graph Information Disclosure Vulnerability CVE-2025-12147 Unauthorized access to fields protected by Field-Level Security (FLS) when those fields are members of an object CVE-2021-39211 Disclosure of GLPI and server information in telemetry endpoint CVE-2024-7339 TVT DVR TD-2104TS-CL queryDevInfo information disclosure CVE-2024-53244 Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter