CVE-2026-45042
Improper Authorization in RustFS Object Copy Operation
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | to 1.0.0-beta.2 (inc) |
| rustfs | rustfs | to 1.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized cross-bucket data copying, which violates tenant isolation guarantees and enables sensitive data to be moved into controlled buckets without proper authorization.
Such unauthorized data movement can lead to breaches of data protection policies required by standards like GDPR and HIPAA, as sensitive information may be exposed or transferred without appropriate controls.
Therefore, this vulnerability poses a risk to compliance with regulations that mandate strict access controls and data handling procedures to protect confidentiality.
Can you explain this vulnerability to me?
This vulnerability exists in RustFS, a distributed object storage system built in Rust, in versions prior to 1.0.0-beta.2. It involves improper authorization in the UploadPartCopy operation, which allows copying objects across different buckets without properly enforcing restrictions on the destination bucket regarding allowed copy sources.
Specifically, the system checks permissions independently for getting objects from the source bucket and putting objects into the destination bucket, but it does not enforce any policy to verify if the destination bucket permits copying from the specified source bucket. This flaw enables unauthorized cross-bucket data movement.
The vulnerability was fixed in version 1.0.0-beta.2.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data movement between buckets in RustFS. An attacker or unauthorized user could copy objects from one bucket to another without proper permission checks on the destination bucket's policies.
This could result in data leakage, unauthorized data access, or data exposure across different storage buckets, potentially compromising sensitive or confidential information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade RustFS to version 1.0.0-beta.2 or later, where the issue has been fixed.