CVE-2026-59092
HIGHDescription
JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the /debug/pprof/cmdline endpoint to obtain the process command line containing metadata engine connection strings with database credentials, granting full read/write access to filesystem metadata, while other pprof handlers leak internal state and profiling handlers enable denial of service.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-59092? +
How severe is CVE-2026-59092? +
How do I check if I'm vulnerable to CVE-2026-59092? +
Related Vulnerabilities
An authenticated admin user with access to both the management WebUI and command line interface on a Firebox can enable …
A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with …
A leftover debug code vulnerability exists in the Telnet Diagnostic Interface functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted series …
Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an …
Active Debug Code in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, …
Multiple SHARP routers leave the hidden debug function enabled. An arbitrary OS command may be executed with the root privilege …