Executive Summary

CVE-2026-39360 is an authorization bypass vulnerability in the RustFS distributed object storage system prior to version alpha.90. It occurs in the multipart copy operation (UploadPartCopy), where the system fails to check if a user has permission to read objects from a source bucket.

Because of this missing authorization check, a low-privileged user who normally cannot read objects from a victim's bucket can still copy those objects into their own bucket by exploiting multipart upload copy functions. This breaks tenant isolation in multi-user or multi-tenant environments.

Technically, the multipart copy functions return success without verifying permissions, unlike the single-part copy operation which correctly enforces source and destination permissions. This flaw allows unauthorized exfiltration of private data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized data leakage where an attacker with minimal permissions on their own bucket can copy private objects from another user's bucket without having any read permissions on that bucket.

In multi-tenant deployments, this breaks tenant isolation, allowing attackers to exfiltrate confidential or sensitive data from other tenants.

The impact is a moderate severity risk that compromises confidentiality by enabling unauthorized cross-tenant data access and exfiltration.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves missing authorization checks in multipart copy operations within RustFS, allowing unauthorized data exfiltration. Detection would involve monitoring multipart upload copy activities that bypass expected permission checks.

Since the vulnerability exploits multipart UploadPartCopy operations without proper authorization, you can detect suspicious activity by auditing multipart upload requests, especially those involving the UploadPartCopy API calls.

Suggested commands or approaches include:

• Review logs for multipart upload operations, focusing on UploadPartCopy requests that copy objects from buckets where the requester lacks read permissions.
• Use RustFS or system audit logs to identify multipart uploads completed without corresponding authorization checks.
• If you have access to RustFS source or debug logs, trace calls to `upload_part_copy()`, `complete_multipart_upload()`, and `abort_multipart_upload()` to verify if authorization checks are missing.
• Monitor network traffic for suspicious multipart copy requests that include the `x-amz-copy-source` header referencing buckets the user should not access.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade RustFS to version alpha.90 or later, where the missing authorization checks in multipart copy operations have been fixed.

Until the upgrade can be applied, consider the following immediate steps:

• Restrict permissions for users to perform multipart upload copy operations, especially limiting the ability to create multipart uploads and upload parts unless fully trusted.
• Implement additional access controls or monitoring to detect and block unauthorized multipart copy requests.
• Audit and review bucket policies to ensure minimal exposure and enforce strict tenant isolation.
• If possible, temporarily disable multipart copy functionality or restrict it to trusted users until the patch is applied.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability breaks tenant isolation in multi-user or multi-tenant deployments by allowing unauthorized cross-tenant data exfiltration. Such unauthorized access to private data can lead to violations of data protection regulations and standards that require strict access controls and data confidentiality, such as GDPR and HIPAA.

Because an attacker can copy private objects from a victim bucket without proper authorization, this flaw poses a high confidentiality risk. This risk can result in non-compliance with regulations that mandate protection of sensitive or personal data against unauthorized access and disclosure.

Useful 0 Not Useful 0