RustFS implements an UploadPartCopy operation that can copy objects from one bucket to another. Before version 1.0.0‑beta.2 the operation validates read permission on the source object and write permission on the destination bucket separately but does not check whether the bucket policy allows copying from that particular source. This flaw enables an attacker to move data between buckets without respecting destination‑level restrictions. The result is a privat e data leak or modification that undermines confidentiality and possibly integrity, as objects could be copied from a bucket that should be protected from cross‑bucket access.

The vulnerability affects RustFS distributed object storage systems prior to 1.0.0‑beta.2, as published by the RustFS project. Users running any earlier RustFS release are within scope. Specific affected versions are any release older than 1.0.0‑beta.2; the fix is present in 1.0.0‑beta.2 and later.

The CVSS score of 7.1 rates the flaw as High and indicates that the issue is remotely exploitable over a network. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, which suggests it is not a currently exploited widely known vulnerability at this time. An attacker who can read an object from a source bucket and write to a destination bucket can use the UploadPartCopy API call to bypass intended policy limits, enabling unauthorized data movement between buckets. The attack requires only network access to the RustFS service and the applicable permissions to read the source object and write to the destination bucket.