CVE-2026-27607

Published Feb 25, 2026

Last updated 2 months ago

CVSS high 8.1

Overview

Description: RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
Source: security-advisories@github.com
NVD status: Analyzed
Products: rustfs

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.1
Impact score: 5.2
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-20
nvd@nist.gov: CWE-863

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*",
            "matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*",
            "matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*",
            "matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*",
            "matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*",
            "matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*",
            "matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*",
            "matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*",
            "matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*",
            "matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*",
            "matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*",
            "matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*",
            "matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*",
            "matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*",
            "matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*",
            "matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*",
            "matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*",
            "matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*",
            "matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*",
            "matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*",
            "matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*",
            "matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*",
            "matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*",
            "matchCriteriaId": "96461CC0-012C-40D7-B1CB-FF9A6B7EB644",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*",
            "matchCriteriaId": "9AA7AE2E-83E3-4796-8569-16030DB2CF38",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*",
            "matchCriteriaId": "73638EAF-BCA6-4BD8-90E5-3A53EFD0FD5C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*",
            "matchCriteriaId": "48BCB4A7-57C5-4FAA-860D-B862947EE352",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*",
            "matchCriteriaId": "0EA73A06-6AEA-45DF-B819-D25AA9BBEBA7",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References