Executive Summary

CVE-2026-27607 is a high-severity vulnerability in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82. The issue is caused by the system not validating policy conditions in presigned POST uploads (PostObject endpoint). Specifically, RustFS fails to enforce constraints such as content-length-range, starts-with, and exact Content-Type matching.

This means attackers can upload files that exceed size limits, upload files to arbitrary object keys (paths), and spoof the content type of uploaded files. The root cause is improper input validation and incorrect authorization, allowing attackers to bypass upload restrictions.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to several serious impacts:'}, {'type': 'list_item', 'content': 'Storage exhaustion due to unauthorized uploads of arbitrarily large files, potentially causing denial of service.'}, {'type': 'list_item', 'content': "Unauthorized data access or modification, such as overwriting configuration files or accessing other users' directories."}, {'type': 'list_item', 'content': 'Security bypasses including serving malicious content that could facilitate attacks like cross-site scripting (XSS).'}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable remotely with low attack complexity, requiring low privileges and no user interaction, affecting the integrity and availability of the system.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring and analyzing presigned POST upload requests to the RustFS PostObject endpoint for policy enforcement failures.'}, {'type': 'paragraph', 'content': 'Specifically, you should look for uploads that bypass content-length-range restrictions, uploads to object keys that do not start with the required prefix, or uploads with spoofed Content-Type headers.'}, {'type': 'paragraph', 'content': 'Commands or methods to detect this may include capturing HTTP POST requests to the RustFS service and inspecting the policy conditions versus actual upload parameters.'}, {'type': 'list_item', 'content': 'Use network packet capture tools like tcpdump or Wireshark to capture POST requests to the RustFS server.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to manually test presigned POST uploads with varying content-length, object key prefixes, and Content-Type headers to see if the server enforces policies.'}, {'type': 'list_item', 'content': 'Example command to capture traffic: tcpdump -i <interface> -w rustfs_traffic.pcap port 80 or 443'}, {'type': 'list_item', 'content': "Example curl command to test upload size enforcement: curl -X POST -F 'file=@largefile' <presigned_post_url>"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.83 or later, where the vulnerability is fixed.

Until the upgrade can be performed, consider restricting access to the RustFS PostObject endpoint to trusted users or networks to reduce exposure.

Additionally, monitor upload activity for abnormal file sizes, unexpected object key prefixes, or unusual Content-Type headers to detect exploitation attempts.

Useful 0 Not Useful 0