CVE-2026-39360 RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration

RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path UploadPartCopy. A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an...

CVE-2026-39360

RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path UploadPartCopy. A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an...

rustfs 安全漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to alpha.90 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks in multi-part replication paths, which could allow low-privilege users to bypass...

Exploit for Use of Hard-coded Credentials in Rustfs

CVE-2025-689...

CVE-2026-27822

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27607

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...

EUVD-2026-8590

Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover...

Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

Summary A Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account...

GHSA-V9FG-3CR2-277J Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

Summary A Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account...

EUVD-2026-8588

RustFS: Missing Post Policy Validation leads to Arbitrary Object Write...

RustFS: Missing Post Policy Validation leads to Arbitrary Object Write

Summary RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type...

GHSA-W5FH-F8XH-5X3P RustFS: Missing Post Policy Validation leads to Arbitrary Object Write

Summary RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type...

CVE-2026-27822

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an...

CVE-2026-27822

RustFS before 1.0.0-alpha.83 is affected by a Stored XSS in the RustFS Console that bypasses PDF preview logic, allowing an attacker to steal admin credentials from localStorage and potentially takeover accounts and compromise the system. The issue is fixed in 1.0.0-alpha.83. No exploitation deta...

CVE-2026-27607 RustFS's Missing Post Policy Validation leads to Arbitrary Object Write

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...

CVE-2026-27607

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...