CVE-2026-27607

EUVD-2026-8588

25.02.2026, 03:16

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
rustfs	rustfs	1.0.0:alpha56
rustfs	rustfs	1.0.0:alpha57
rustfs	rustfs	1.0.0:alpha58
rustfs	rustfs	1.0.0:alpha59
rustfs	rustfs	1.0.0:alpha60
rustfs	rustfs	1.0.0:alpha61
rustfs	rustfs	1.0.0:alpha62
rustfs	rustfs	1.0.0:alpha63
rustfs	rustfs	1.0.0:alpha64
rustfs	rustfs	1.0.0:alpha65
rustfs	rustfs	1.0.0:alpha66
rustfs	rustfs	1.0.0:alpha67
rustfs	rustfs	1.0.0:alpha68
rustfs	rustfs	1.0.0:alpha69
rustfs	rustfs	1.0.0:alpha70
rustfs	rustfs	1.0.0:alpha71
rustfs	rustfs	1.0.0:alpha72
rustfs	rustfs	1.0.0:alpha73
rustfs	rustfs	1.0.0:alpha74
rustfs	rustfs	1.0.0:alpha75
rustfs	rustfs	1.0.0:alpha76
rustfs	rustfs	1.0.0:alpha77
rustfs	rustfs	1.0.0:alpha78
rustfs	rustfs	1.0.0:alpha79
rustfs	rustfs	1.0.0:alpha80
rustfs	rustfs	1.0.0:alpha81
rustfs	rustfs	1.0.0:alpha82

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p