Executive Summary

CVE-2026-21862 is a vulnerability in RustFS, a distributed object storage system built in Rust, where IP-based access control can be bypassed. The issue occurs because the system trusts client-supplied HTTP headers `X-Forwarded-For` and `X-Real-IP` without verifying if the request passed through a trusted proxy. This allows any client with network access to RustFS to spoof these headers and forge the `aws:SourceIp` condition, which is used in IP allowlist policies for authorization.

Specifically, the function `get_condition_values` sets the remote address directly from these headers or defaults to `127.0.0.1` if absent. This remote address is then used in IAM or bucket policy evaluations to decide access permissions. Because there is no validation of the proxy or trust boundary, attackers can bypass IP-based restrictions without additional authentication.

A proof-of-concept shows that spoofing the `X-Forwarded-For` header to an allowed IP address can bypass IP allowlist policies and grant unauthorized access to list, read, or write operations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to an authorization bypass of IP allowlists that rely on the `aws:SourceIp` condition in IAM or bucket policies. Attackers with network access to RustFS can spoof IP addresses in HTTP headers to gain unauthorized permissions.

• Unauthorized listing of buckets or objects.
• Unauthorized reading of stored data.
• Unauthorized writing or modification of stored data.

Since no additional authentication is required to exploit this, any reachable client can bypass IP-based access controls, potentially leading to data exposure or manipulation.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests to the RustFS service for suspicious or spoofed X-Forwarded-For or X-Real-IP headers that do not match the actual client IP addresses.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture and analyze network traffic to identify requests where these headers are set to IP addresses that should not be allowed or do not correspond to the real client IP.'}, {'type': 'list_item', 'content': 'Use packet capture tools like tcpdump or Wireshark to filter HTTP traffic to RustFS and inspect the X-Forwarded-For and X-Real-IP headers.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP traffic on port 80 or 443 (adjust port as needed): tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -i 'X-Forwarded-For\\|X-Real-IP'"}, {'type': 'list_item', 'content': "Use curl or similar HTTP clients to test the RustFS endpoint by sending requests with spoofed headers and observe if access control is bypassed, for example: curl -H 'X-Forwarded-For: 10.0.0.5' http://<rustfs-server>/bucket"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version alpha.78 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict network access to RustFS to trusted clients only, and avoid exposing the service directly to untrusted networks.

Additionally, configure any proxies or load balancers in front of RustFS to properly validate and sanitize X-Forwarded-For and X-Real-IP headers, ensuring that only trusted proxies can set these headers.

Review and tighten IAM and bucket policies to not rely solely on IP-based conditions that can be spoofed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass IP-based access controls by spoofing client IP headers, potentially granting unauthorized access to sensitive data stored in RustFS.

Such unauthorized access could lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Because the vulnerability enables attackers to circumvent IP allowlists without authentication, it undermines the security measures that help ensure compliance with these standards.

Useful 0 Not Useful 0