CVE-2026-45042
Deferred Deferred - Pending Action
Improper Authorization in RustFS Object Copy Operation

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45042
EUVD
EUVD-2026-32995
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rustfs rustfs to 1.0.0-beta.2 (inc)
rustfs rustfs to 1.0.0-beta.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in RustFS, a distributed object storage system built in Rust, in versions prior to 1.0.0-beta.2. It involves improper authorization in the UploadPartCopy operation, which allows copying objects across different buckets without properly enforcing restrictions on the destination bucket regarding allowed copy sources.

Specifically, the system checks permissions independently for getting objects from the source bucket and putting objects into the destination bucket, but it does not enforce any policy to verify if the destination bucket permits copying from the specified source bucket. This flaw enables unauthorized cross-bucket data movement.

The vulnerability was fixed in version 1.0.0-beta.2.

Compliance Impact

The vulnerability allows unauthorized cross-bucket data copying, which violates tenant isolation guarantees and enables sensitive data to be moved into controlled buckets without proper authorization.

Such unauthorized data movement can lead to breaches of data protection policies required by standards like GDPR and HIPAA, as sensitive information may be exposed or transferred without appropriate controls.

Therefore, this vulnerability poses a risk to compliance with regulations that mandate strict access controls and data handling procedures to protect confidentiality.

Impact Analysis

This vulnerability can lead to unauthorized data movement between buckets in RustFS. An attacker or unauthorized user could copy objects from one bucket to another without proper permission checks on the destination bucket's policies.

This could result in data leakage, unauthorized data access, or data exposure across different storage buckets, potentially compromising sensitive or confidential information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade RustFS to version 1.0.0-beta.2 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart