RustFS’s multipart copy API (UploadPartCopy) lacks an authorization check in versions before alpha.90. As a result, a user with only low privileges—who normally cannot read objects from another bucket—can copy victim objects into a multipart upload controlled by the attacker and then complete the upload. This flaw allows the attacker to retrieve data from a target bucket without needing read permissions, effectively breaking tenant isolation in multi‑tenant deployments. The vulnerability ultimately enables a user to exfiltrate confidential data from another user’s bucket.

The issue affects the RustFS distributed object storage system. All releases from the initial alpha release up through alpha.89 are vulnerable; the fix begins at alpha.90. The affected product is rustfs:rustfs, and the relevant CPE entries represent each alpha milestone up to alpha.89.

The CVSS base score of 5.3 classifies the flaw as medium severity. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would trigger the exploit via the REST API, sending an UploadPartCopy request from a low‑privilege account to a victim bucket. The scope of the impact is confined to data exfiltration from affected buckets, but it represents a significant breach of isolation in multi‑tenant environments. Given its medium score and low exploitation probability, the risk is moderate, but organizations with sensitive data are advised to remediate promptly.