Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27822 is a critical Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console, a Rust-based management interface for S3-compatible storage.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the console's file preview feature identifies PDF files by extension or metadata but does not validate the actual content type. This allows an attacker to upload a malicious HTML file disguised as a PDF (with Content-Type set to text/html)."}, {'type': 'paragraph', 'content': "Since the RustFS Console and the S3 API share the same origin (same IP and port), scripts running in the preview iframe can access the parent window's localStorage, which stores sensitive administrator credentials."}, {'type': 'paragraph', 'content': 'When an administrator previews the malicious file, the embedded script executes, stealing credentials such as AccessKey, SecretKey, and SessionToken, leading to full administrative account takeover and system compromise.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to a full administrative account takeover in the RustFS system.'}, {'type': 'paragraph', 'content': "An attacker who exploits this flaw can steal administrator credentials stored in the browser's localStorage, allowing them to perform any administrative actions."}, {'type': 'list_item', 'content': 'Deleting data'}, {'type': 'list_item', 'content': 'Creating backdoors'}, {'type': 'list_item', 'content': 'Downloading the entire filesystem via the S3 API'}, {'type': 'paragraph', 'content': 'Overall, this leads to complete system compromise with high impact on confidentiality, integrity, and availability.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your RustFS Console version is prior to 1.0.0-alpha.83 and by verifying if the file preview feature improperly handles PDF files by content type.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to upload a file named with a .pdf extension but with a Content-Type of text/html containing a script payload. If the preview modal executes the script, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided, but you can use tools like curl or HTTP clients to upload a test file with a manipulated Content-Type header to the S3-compatible storage and then preview it in the console to observe if script execution occurs.'}, {'type': 'list_item', 'content': 'Example curl command to upload a malicious file: curl -X PUT --data-binary @malicious.html -H "Content-Type: text/html" https://your-rustfs-s3-endpoint/bucket/xss.pdf'}, {'type': 'list_item', 'content': 'Then, preview the uploaded xss.pdf file in the RustFS Console to see if the script executes.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.83 or later, where this vulnerability is fixed.

Additional mitigation measures include:

• Serve user-uploaded content from a separate domain (origin separation) to enforce the Same-Origin Policy and isolate potentially malicious content from the management console.
• Implement strict security headers on the backend, such as Content-Security-Policy (CSP) to disallow inline scripts and restrict script execution.
• Use the X-Content-Type-Options: nosniff header to prevent browsers from interpreting files as a different MIME type than declared.

Useful 0 Not Useful 0