Skip to main content

RustFS EUVDEUVD-2026-32999

| CVE-2026-46685 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-28 GitHub_M
6.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Analysis Generated
May 28, 2026 - 19:27 vuln.today
CVSS changed
May 28, 2026 - 19:22 NVD
6.0 (MEDIUM)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

CORS origin reflection in RustFS's S3 listener exposes stored object data to cross-origin theft via browser-credentialed requests against all versions prior to 1.0.0-beta.2. When the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset - the default state - the ConditionalCorsLayer middleware reflects any incoming Origin header verbatim as Access-Control-Allow-Origin while simultaneously asserting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *, including on preflight and error responses, nullifying the browser's same-origin policy protections. An unauthenticated attacker (PR:N) who lures a victim with ambient RustFS credentials to a malicious web page can exfiltrate object storage contents; no confirmed active exploitation (CISA KEV) and no public exploit identified at time of analysis. The fix is vendor-released in 1.0.0-beta.2.

Technical ContextAI

RustFS is a distributed, S3-compatible object storage system written in Rust. The vulnerable component is the ConditionalCorsLayer middleware within the S3 listener - a Tower-based HTTP middleware layer responsible for injecting CORS response headers. When RUSTFS_CORS_ALLOWED_ORIGINS is unset, the layer enters a fully permissive mode: it echoes the request's Origin header back as Access-Control-Allow-Origin (origin reflection), pairs this with Access-Control-Allow-Credentials: true, and wildcards Access-Control-Allow-Headers. Per the CORS specification, browsers permit cross-origin JavaScript to read responses only when the server reflects the exact request origin alongside the credentials flag - precisely the condition this misconfiguration creates. CWE-306 (Missing Authentication for Critical Function) applies in the sense that the CORS gate - which functions as an access-control boundary for browser-originated cross-domain requests - is entirely absent when the environment variable is not configured, effectively treating all origins as trusted. The CPE cpe:2.3:a:rustfs:rustfs:*:*:*:*:*:*:*:* with no version floor indicates every released version before 1.0.0-beta.2 carries this behavior.

RemediationAI

Upgrade to RustFS 1.0.0-beta.2 - the vendor-released patch confirmed by GitHub Security Advisory GHSA-x5xv-223c-8vm7 at https://github.com/rustfs/rustfs/security/advisories/GHSA-x5xv-223c-8vm7. This is the definitive fix and should be prioritized on any deployment reachable from browsers or reverse proxies carrying user credentials. As an immediate compensating control prior to patching, explicitly set the RUSTFS_CORS_ALLOWED_ORIGINS environment variable to a restrictive, allowlisted set of trusted origins (e.g., RUSTFS_CORS_ALLOWED_ORIGINS=https://trusted-dashboard.example.com); this disables the reflection behavior by giving the ConditionalCorsLayer an explicit list to match against. Trade-off: this requires knowing all legitimate cross-origin consumers in advance and will break any unlisted origins. If cross-origin browser access to RustFS is not required at all, configure a reverse proxy (nginx, Caddy, HAProxy) to strip or override CORS response headers before they reach clients, or add a WAF rule to block OPTIONS preflight requests from untrusted origins. Additionally, audit browser credential exposure: revoke or rotate HTTP Basic Auth credentials and SSO session cookies scoped to the RustFS origin, as these are the specific credential classes exploitable in this attack. TLS client certificate bindings to the RustFS origin should also be reviewed if applicable.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

Share

EUVD-2026-32999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy