RustFS versions prior to alpha.78 allow an attacker to evade IP‑based access control by supplying forged X-Forwarded-For and X-Real-Ip headers. The system trusts these headers without verifying that the request passed through a configured proxy, enabling any reachable client to specify arbitrary source IP values. This weakness permits unauthorized users to satisfy IP‑allowlist policies and gain access to protected resources, thus potentially exposing data or services to non‑authorized parties.

The vulnerable product is RustFS (rustfs) in all alpha releases up to and excluding alpha.78. Users deploying 1.0.0 alpha.1 through alpha.77 are affected.

The CVSS score of 7.7 indicates high severity. EPSS is below 1%, suggesting that exploitation is currently rare, but the vulnerability is not in the CISA KEV catalog and therefore could be discovered in the future. Attackers can reach the service from any client over the network, send HTTP requests with fabricated proxy headers, and immediately satisfy IP allowlist checks. The bias toward remote exploitation makes this a valuable target for threat actors seeking to circumvent network‑level controls.