Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.
Published: 2026-05-28
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RustFS exposes a permissive cross-domain policy when the RUSTFS_CORS_ALLOWED_ORIGINS variable is left unset. The S3 listener reflects whatever Origin header is supplied in the request back as Access‑Control‑Allow‑Origin and also emits Access‑Control‑Allow‑Credentials: true, effectively allowing any website to access responses from the RustFS endpoint. Because browsers include ambient credentials such as HTTP Basic Auth data, SSO cookies, or TLS client certificates automatically, an attacker can provoke a victim’s browser to retrieve sensitive data that was meant to be browser‑specific. This flaw does not allow arbitrary code execution, but it does enable credential‑based data exfiltration across origins.

Affected Systems

The affected product is RustFS, a distributed object storage system written in Rust. All deployments on versions released before 1.0.0‑beta.2 that do not configure RUSTFS_CORS_ALLOWED_ORIGINS are vulnerable. No other vendors or product variants are mentioned in the advisory.

Risk and Exploitability

The CVSS score of 6 indicates a moderate to high severity. The EPSS score is not available, and this vulnerability is not listed in the CISA KEV catalog, implying that large‑scale public exploitation is not yet documented. The likely attack vector is a browser‑based Cross‑Origin Resource Sharing (CORS) request from an attacker‑controlled site. An attacker can only gain access if a victim’s browser holds valid credentials for the RustFS origin; otherwise the request will not be fulfilled. The exploitation therefore requires a victim with stored credentials to unintentionally conduct a request to a malicious page, which is a realistic threat in many company environments using shared browsers or SSO cookies.

Generated by OpenCVE AI on May 28, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to 1.0.0‑beta.2 or a later version that fixes the CORS handling bug.
  • If an upgrade cannot be applied immediately, set the environment variable RUSTFS_CORS_ALLOWED_ORIGINS to a strict whitelist of trusted origins so that the listener does not reflect arbitrary Origins back to the client.
  • Alternatively, remove the Access‑Control‑Allow‑Credentials header from all responses or disable CORS handling entirely, which eliminates the window for credential leakage.

Generated by OpenCVE AI on May 28, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.
Title RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console
Weaknesses CWE-306
CWE-346
CWE-942
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rustfs Rustfs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:22:19.301Z

Reserved: 2026-05-15T21:46:51.548Z

Link: CVE-2026-46685

cve-icon Vulnrichment

Updated: 2026-05-28T19:20:20.247Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T19:16:39.583

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-46685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:00:17Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-346

    Origin Validation Error

  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains