Skip to main content

Rustfs EUVDEUVD-2026-19867

| CVE-2026-39360 MEDIUM
Missing Authorization (CWE-862)
2026-04-07 security-advisories@github.com GHSA-mx42-j6wv-px98
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 19:22 euvd
EUVD-2026-19867
Analysis Generated
Apr 07, 2026 - 19:22 vuln.today
CVE Published
Apr 07, 2026 - 19:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90.

AnalysisAI

RustFS alpha versions prior to alpha.90 allow authenticated users with limited permissions to bypass authorization checks in the multipart copy operation (UploadPartCopy), enabling exfiltration of objects from buckets they cannot directly read. This breaks tenant isolation in multi-tenant deployments by allowing a low-privileged user to copy victim objects into their own multipart upload and complete the transfer without proper authorization validation.

Technical ContextAI

RustFS is a distributed object storage system written in Rust. The vulnerability exists in the UploadPartCopy code path, which handles copying object parts during multipart upload operations. The root cause is a missing authorization check (CWE-862: Missing Authorization) that fails to validate whether the authenticated user has read access to the source object before permitting the copy operation. In multi-tenant environments, this allows a user authenticated to one tenant or bucket context to access objects from other tenants by leveraging the multipart upload mechanism, which apparently has weaker or missing permission validation compared to standard read operations.

RemediationAI

Upgrade to RustFS alpha.90 or later, which includes the fix for the missing authorization check in the UploadPartCopy operation. No workarounds are available; patching is the only remediation. Organizations should prioritize this upgrade if RustFS is deployed in multi-tenant environments. Refer to the GitHub security advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98 for detailed patch information and deployment guidance.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

Share

EUVD-2026-19867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy