How is CVE-2026-45044 exploited?

Network reachability (required): The profiling endpoints are exposed over HTTP, so an attacker must be able to reach the RustFS admin service across the network. Authentication (not-required): The admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, so no credentials of any kind are needed. Victim interaction (not-required): The attacker sends HTTP requests directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free: any HTTP client that can reach the service can trigger the vulnerability without timing constraints or special environmental setup.

What is the impact of CVE-2026-45044?

Repeated requests each trigger a fixed 60-second CPU profiling run, exhausting CPU resources and degrading or halting the RustFS service. The profiling response body returns the server's absolute filesystem path, giving an attacker layout information useful for follow-on attacks. Service availability is directly impacted: sustained abuse can push the node into a denial-of-service state affecting all object storage operations backed by that node.

Back to search

HIGHCVE-2026-45044Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-45044: RustFS: Authentication bypass in /profile/cpu and /profile/memory allows unauthenticated access to profiling handlers

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server’s absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authentication bypass in RustFS allows any unauthenticated HTTP client to invoke CPU and memory profiling endpoints (/profile/cpu and /profile/memory) directly over the network. The admin router explicitly skips the authentication layer for these paths, so no credentials are required to reach them. Successful exploitation lets an attacker trigger a 60-second CPU-intensive profiling operation per request, causing denial of service, and also discloses the server's absolute filesystem path. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45044 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from RustFS, in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH and surfaces it with per-environment compliance policy weighting, so teams with stricter SLAs for unauthenticated network-reachable issues see it prioritized accordingly. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a corrected release. In the interim, compensating-control recommendations (such as network policy isolation for the admin router ports) are surfaced alongside the finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The profiling endpoints are exposed over HTTP, so an attacker must be able to reach the RustFS admin service across the network.
AuthenticationNot required
The admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, so no credentials of any kind are needed.
Victim interactionNot required
The attacker sends HTTP requests directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free: any HTTP client that can reach the service can trigger the vulnerability without timing constraints or special environmental setup.

Blast Radius

Repeated requests each trigger a fixed 60-second CPU profiling run, exhausting CPU resources and degrading or halting the RustFS service.
The profiling response body returns the server's absolute filesystem path, giving an attacker layout information useful for follow-on attacks.
Service availability is directly impacted: sustained abuse can push the node into a denial-of-service state affecting all object storage operations backed by that node.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-45044 has been published, HarborGuard re-examines the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fixed version is released. Until then, the finding is flagged at HIGH severity in all scans of images containing the affected RustFS component. Customers can apply compensating controls today, such as network policy rules that restrict access to the RustFS admin port to trusted internal CIDR ranges, egress filtering to limit lateral exposure, and feature-flag or reverse-proxy rules that block requests to /profile/cpu and /profile/memory at the perimeter. For customers with auto-remediation enabled, a rebuild and regression test run will be initiated and a PR opened against affected workloads as soon as an upstream fix version is confirmed.

See how HarborGuard automates this

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

rustfs / rustfs
< 1.0.0-beta.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-8784-9m7f-c6p6