Cyber Resilience

CVE-2026-55188

High

Published: 26 June 2026

Published
26 June 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0018 7.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55188 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but…

more

does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Authorization bypass in admin API directly exposes remote target credentials (access/secret keys), enabling T1552 Unsecured Credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40166Shared CWE-200, CWE-863
CVE-2026-48501Shared CWE-863
CVE-2026-41050Shared CWE-863
CVE-2026-22822Shared CWE-863
CVE-2026-26289Shared CWE-863
CVE-2026-27604Shared CWE-200, CWE-862
CVE-2026-30820Shared CWE-863
CVE-2026-27112Shared CWE-863
CVE-2026-48152Shared CWE-863
CVE-2024-38002Shared CWE-862, CWE-863

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

Mandates authorization checks before permitting access or data processing via external systems.

The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

Ensures missing authorization mechanisms for critical data functions are identified and remediated via policy.

Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.

Requires explicit determination and documentation of authority before any PII processing occurs, addressing missing authorization.

Eliminates missing authorization by requiring documented approval and agreements prior to initiating any computer matching program.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (4 rules)
  • V-248581 OL 8 must require users to provide a password for privilege escalation. via CWE-863
  • V-252656 The OL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-863
  • V-248581 OL 8 must require users to provide a password for privilege escalation. via CWE-862
RHEL 7 (4 rules)
  • V-251704 The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862
  • V-204429 The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation. via CWE-862
  • V-204430 The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation. via CWE-863
RHEL 8 (2 rules)
  • V-251712 The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862
  • V-251712 The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-863
Ubuntu 22.04 (2 rules)
  • V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-200
  • V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-522
Ubuntu 24.04 (2 rules)
  • V-270647 Ubuntu 24.04 LTS must not have the telnet package installed. via CWE-200
  • V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-200
Windows 10 (1 rule)
  • V-220737 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. via CWE-200
Windows Server 2016 (1 rule)
  • V-224974 Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200
Windows Server 2019 (1 rule)
  • V-205743 Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200
Windows Server 2022 (1 rule)
  • V-254395 Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200

References