CVE-2026-27607
Received Received - Intake

Authorization Bypass in RustFS Presigned POST Uploads

Vulnerability report for CVE-2026-27607, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-07-06
AI Q&A
2026-02-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 27 associated CPEs
Vendor Product Version / Range
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-27607 is a high-severity vulnerability in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82. The issue is caused by the system not validating policy conditions in presigned POST uploads (PostObject endpoint). Specifically, RustFS fails to enforce constraints such as content-length-range, starts-with, and exact Content-Type matching.

This means attackers can upload files that exceed size limits, upload files to arbitrary object keys (paths), and spoof the content type of uploaded files. The root cause is improper input validation and incorrect authorization, allowing attackers to bypass upload restrictions.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to several serious impacts:'}, {'type': 'list_item', 'content': 'Storage exhaustion due to unauthorized uploads of arbitrarily large files, potentially causing denial of service.'}, {'type': 'list_item', 'content': "Unauthorized data access or modification, such as overwriting configuration files or accessing other users' directories."}, {'type': 'list_item', 'content': 'Security bypasses including serving malicious content that could facilitate attacks like cross-site scripting (XSS).'}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable remotely with low attack complexity, requiring low privileges and no user interaction, affecting the integrity and availability of the system.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and analyzing presigned POST upload requests to the RustFS PostObject endpoint for policy enforcement failures.'}, {'type': 'paragraph', 'content': 'Specifically, you should look for uploads that bypass content-length-range restrictions, uploads to object keys that do not start with the required prefix, or uploads with spoofed Content-Type headers.'}, {'type': 'paragraph', 'content': 'Commands or methods to detect this may include capturing HTTP POST requests to the RustFS service and inspecting the policy conditions versus actual upload parameters.'}, {'type': 'list_item', 'content': 'Use network packet capture tools like tcpdump or Wireshark to capture POST requests to the RustFS server.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to manually test presigned POST uploads with varying content-length, object key prefixes, and Content-Type headers to see if the server enforces policies.'}, {'type': 'list_item', 'content': 'Example command to capture traffic: tcpdump -i <interface> -w rustfs_traffic.pcap port 80 or 443'}, {'type': 'list_item', 'content': "Example curl command to test upload size enforcement: curl -X POST -F 'file=@largefile' <presigned_post_url>"}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.83 or later, where the vulnerability is fixed.

Until the upgrade can be performed, consider restricting access to the RustFS PostObject endpoint to trusted users or networks to reduce exposure.

Additionally, monitor upload activity for abnormal file sizes, unexpected object key prefixes, or unusual Content-Type headers to detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart