Skip to main content

RustFS CVE-2026-45042

| EUVDEUVD-2026-32995 HIGH
Incorrect Authorization (CWE-863)
2026-05-28 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Analysis Generated
May 28, 2026 - 19:28 vuln.today
CVSS changed
May 28, 2026 - 19:22 NVD
7.1 (HIGH)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

Improper authorization in RustFS prior to 1.0.0-beta.2 allows authenticated users to perform unauthorized cross-bucket object copies via the S3-compatible UploadPartCopy operation, bypassing destination-bucket policy constraints on permitted copy sources. The Rust-based distributed object storage system validates GetObject on the source and PutObject on the destination independently but never checks whether the destination bucket actually permits the specified source, enabling lateral data movement between buckets. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

RustFS is a distributed, S3-compatible object storage system implemented in Rust and identified by CPE cpe:2.3:a:rustfs:rustfs. The flaw is a CWE-863 (Incorrect Authorization) defect in the multipart-upload UploadPartCopy handler, which is the S3 API used to copy byte ranges from an existing object into a part of an in-progress multipart upload. In a correct S3 implementation, bucket policies on the destination can constrain the allowed x-amz-copy-source values (for example, restricting copies to objects from a specific source bucket or prefix). RustFS instead evaluates only two independent ACL checks - GetObject on the caller's source reference and PutObject on the destination - and never reconciles the destination bucket's source-copy policy, collapsing what should be a joint authorization decision into two disjoint ones.

RemediationAI

Upgrade to the vendor-released patched version RustFS 1.0.0-beta.2 or later, which corrects the UploadPartCopy authorization logic per the project advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-wfxj-ph3v-7mjf. If immediate upgrade is not possible, compensating controls include denying the s3:PutObject action when the request includes an x-amz-copy-source header via a gateway/reverse-proxy rule (which blocks all server-side copies and breaks legitimate multipart-copy workflows), tightening IAM so that no principal simultaneously holds GetObject on cross-tenant source buckets and PutObject on policy-restricted destinations, and auditing existing buckets for objects that may already have been copied in via UploadPartCopy. Each workaround sacrifices native S3 copy functionality, so apply only until the upgrade is rolled out.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

Share

CVE-2026-45042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy