RustFS Console CVE-2026-62378
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Requires an authenticated uploader (PR:L) and an admin to open the preview (UI:R); script runs in the console origin stealing admin credentials, causing a scope change (S:C) and full storage compromise.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
RustFS Console is a web management console for the RustFS distributed file system. From 0.1.7 until 0.1.10, the RustFS Console components/object/preview-modal.tsx and components/object/pdf-viewer.tsx extension-based PDF preview path can render HTML content uploaded as .pdf, allowing stored cross-site scripting in the management console and exposure of administrator AccessKeyId, SecretAccessKey, and SessionToken values. This is caused by a regression of CVE-2026-27822. This vulnerability is fixed in 0.1.10.
AnalysisAI
Stored cross-site scripting in RustFS Console (0.1.7 through 0.1.9) lets an attacker upload an HTML payload disguised as a .pdf file that executes when an administrator previews it, exfiltrating the console's AccessKeyId, SecretAccessKey, and SessionToken. The flaw is a regression of the previously patched CVE-2026-27822 and stems from the PDF preview path trusting the .pdf filename extension rather than the actual content type. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an account with permission to upload/store an object into a bucket viewable in the console (PR:L authenticated per the CVSS vector), (2) the ability to name that object with a .pdf extension while its bytes are HTML/JavaScript, and (3) a RustFS Console administrator subsequently opening that object in the object preview modal (UI:R - the preview click is the trigger). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, base 9.0) reflects a network-reachable, low-complexity attack that requires some privilege (PR:L - an authenticated account able to upload objects) and victim interaction (UI:R - an admin must open the preview), with a scope change (S:C) because script executing in the admin's browser can steal the admin's storage credentials and thereby compromise the wider storage system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with an account permitted to upload objects stores a file named report.pdf whose contents are actually HTML with an embedded script. When a RustFS administrator opens that object in the console's preview modal, the extension-based logic routes it to the PDF viewer, the script runs in the console origin, and it harvests the admin's AccessKeyId, SecretAccessKey, and SessionToken. … |
| Remediation | Vendor-released patch: upgrade RustFS Console to v0.1.10, which changes isPdfPreview() to key exclusively on contentType === 'application/pdf' and no longer trusts the .pdf filename extension (commit 49630dc). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all deployed RustFS Console instances and their versions; immediately disable file upload and preview functionality for versions 0.1.7-0.1.9. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today