RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Rustfs
  • Rustfs

Configuration 1 [-]

OR cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*

No data.

References
Link Providers
https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p cve-icon cve-icon
History

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
Title RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
Weaknesses CWE-20
CWE-863
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T02:10:28.086Z

Updated: 2026-02-25T20:06:03.487Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27607

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:04.787

Modified: 2026-02-25T15:37:08.497

Link: CVE-2026-27607

cve-icon Redhat

No data.