Description
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
Published: 2026-02-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Object Write
Action: Apply Patch
AI Analysis

Impact

RustFS is a Rust‑based distributed object storage system. Between versions 1.0.0‑alpha.56 and 1.0.0‑alpha.82 the implementation of presigned POST uploads (PostObject) fails to validate policy conditions. This omission allows an attacker to ignore content-length-range, starts-with, and Content-Type restrictions, enabling uploads that exceed the intended size, are stored under arbitrary keys, and carry spoofed content types. As a consequence the attacker may exhaust storage resources, retrieve data that should be restricted, or bypass security controls that rely on these policy constraints.

Affected Systems

The affected product is RustFS (RustFS rustfs). All releases from 1.0.0‑alpha.56 through 1.0.0‑alpha.82 are vulnerable. Version 1.0.0‑alpha.83 and later contain the fix.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.1 (High). EPSS indicates a very low probability of exploitation (<1%) and the issue is not listed in the CISA KEV catalog. The likely attack surface is remote, as the flaw is triggered via any client that can obtain a presigned POST URL. Exploitation requires only knowledge of the presigned URL, which may be widely shared, so the severity remains high despite the low exploitation likelihood.

Generated by OpenCVE AI on April 17, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to RustFS 1.0.0‑alpha.83 or later, where policy validation is correctly enforced.
  • If an upgrade cannot be performed immediately, limit the use of presigned POST URLs to trusted clients and enforce stricter policy checks or disable the ability to set arbitrary policies via presigned uploads.
  • Monitor upload activity for unusually large files or writes to unexpected keys, and consider network‑level controls to throttle or block excessive upload traffic.

Generated by OpenCVE AI on April 17, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5fh-f8xh-5x3p RustFS: Missing Post Policy Validation leads to Arbitrary Object Write
History

Fri, 27 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
Title RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
Weaknesses CWE-20
CWE-863
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Rustfs Rustfs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:06:03.487Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27607

cve-icon Vulnrichment

Updated: 2026-02-25T20:05:56.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:04.787

Modified: 2026-02-25T15:37:08.497

Link: CVE-2026-27607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses