Skip to main content

Rustfs CVE-2026-27607

HIGH
Improper Input Validation (CWE-20)
2026-02-25 security-advisories@github.com GHSA-w5fh-f8xh-5x3p
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 25, 2026 - 03:16 nvd
HIGH 8.1

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.

AnalysisAI

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.

Technical ContextAI

Classified as CWE-20 (Improper Input Validation). Affects Rustfs. RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypass

RemediationAI

Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2025-69255 MEDIUM POC
4.0 Jan 07

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Share

CVE-2026-27607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy