CVE-2026-27607
Authorization Bypass in RustFS Presigned POST Uploads
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27607 is a high-severity vulnerability in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82. The issue is caused by the system not validating policy conditions in presigned POST uploads (PostObject endpoint). Specifically, RustFS fails to enforce constraints such as content-length-range, starts-with, and exact Content-Type matching.
This means attackers can upload files that exceed size limits, upload files to arbitrary object keys (paths), and spoof the content type of uploaded files. The root cause is improper input validation and incorrect authorization, allowing attackers to bypass upload restrictions.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to several serious impacts:'}, {'type': 'list_item', 'content': 'Storage exhaustion due to unauthorized uploads of arbitrarily large files, potentially causing denial of service.'}, {'type': 'list_item', 'content': "Unauthorized data access or modification, such as overwriting configuration files or accessing other users' directories."}, {'type': 'list_item', 'content': 'Security bypasses including serving malicious content that could facilitate attacks like cross-site scripting (XSS).'}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable remotely with low attack complexity, requiring low privileges and no user interaction, affecting the integrity and availability of the system.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and analyzing presigned POST upload requests to the RustFS PostObject endpoint for policy enforcement failures.'}, {'type': 'paragraph', 'content': 'Specifically, you should look for uploads that bypass content-length-range restrictions, uploads to object keys that do not start with the required prefix, or uploads with spoofed Content-Type headers.'}, {'type': 'paragraph', 'content': 'Commands or methods to detect this may include capturing HTTP POST requests to the RustFS service and inspecting the policy conditions versus actual upload parameters.'}, {'type': 'list_item', 'content': 'Use network packet capture tools like tcpdump or Wireshark to capture POST requests to the RustFS server.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to manually test presigned POST uploads with varying content-length, object key prefixes, and Content-Type headers to see if the server enforces policies.'}, {'type': 'list_item', 'content': 'Example command to capture traffic: tcpdump -i <interface> -w rustfs_traffic.pcap port 80 or 443'}, {'type': 'list_item', 'content': "Example curl command to test upload size enforcement: curl -X POST -F 'file=@largefile' <presigned_post_url>"}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.83 or later, where the vulnerability is fixed.
Until the upgrade can be performed, consider restricting access to the RustFS PostObject endpoint to trusted users or networks to reduce exposure.
Additionally, monitor upload activity for abnormal file sizes, unexpected object key prefixes, or unusual Content-Type headers to detect exploitation attempts.