CVE-2026-59092

JuiceFS · JuiceFS

An authentication bypass in JuiceFS allows unauthenticated remote attackers to access sensitive debug endpoints and filesystem metadata.

Executive summary

JuiceFS versions through 1.3.1 are vulnerable to an authentication bypass that permits unauthenticated remote attackers to access sensitive system credentials and data.

Vulnerability

This is an authentication bypass vulnerability that permits unauthenticated remote attackers to access sensitive debug and metrics endpoints. By exploiting this, an attacker can retrieve process command lines containing database credentials and obtain full read/write access to filesystem metadata.

Business impact

With a CVSS score of 7.7, this vulnerability represents a critical security failure. Because it allows for the exfiltration of database credentials and grants full control over filesystem metadata, an attacker could compromise the entire storage backend, leading to total data loss, unauthorized data modification, or long-term persistence in the environment.

Remediation

Immediate Action: Update JuiceFS to the version containing the fix (commit a46979c).

Proactive Monitoring: Inspect server logs for unauthorized access attempts to debug or metrics endpoints and monitor for any anomalous database connection requests.

Compensating Controls: Ensure that sensitive debug and metrics endpoints are not exposed to the public internet; implement network-level access control lists (ACLs) to restrict access to trusted management IP addresses only.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability is highly severe due to the exposure of credentials and metadata. Organizations must prioritize patching to the corrected commit immediately. If an immediate update is not possible, ensure these endpoints are isolated from any untrusted network segments to prevent remote exploitation.