CVE-2026-55188
Published: 26 June 2026
Summary
CVE-2026-55188 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-39866
Vulnerability details
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, but…
more
does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket. Because the returned BucketTarget objects include remote target credentials, this can disclose replication access keys and secret keys. This vulnerability is fixed in 1.0.0-beta.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in admin API directly exposes remote target credentials (access/secret keys), enabling T1552 Unsecured Credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandates authorization checks before permitting access or data processing via external systems.
The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Ensures missing authorization mechanisms for critical data functions are identified and remediated via policy.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
Requires explicit determination and documentation of authority before any PII processing occurs, addressing missing authorization.
Eliminates missing authorization by requiring documented approval and agreements prior to initiating any computer matching program.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (4 rules)
- V-248581 OL 8 must require users to provide a password for privilege escalation. via CWE-863
- V-252656 The OL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-863
- V-248581 OL 8 must require users to provide a password for privilege escalation. via CWE-862
RHEL 7 (4 rules)
- V-251704 The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862
- V-204429 The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation. via CWE-862
- V-204430 The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation. via CWE-863
RHEL 8 (2 rules)
- V-251712 The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862
- V-251712 The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-863
Ubuntu 22.04 (2 rules)
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-200
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-522
Ubuntu 24.04 (2 rules)
- V-270647 Ubuntu 24.04 LTS must not have the telnet package installed. via CWE-200
- V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-200
Windows 10 (1 rule)
- V-220737 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. via CWE-200
Windows Server 2016 (1 rule)
- V-224974 Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200
Windows Server 2019 (1 rule)
- V-205743 Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200
Windows Server 2022 (1 rule)
- V-254395 Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200