CVE-2026-46685
Origin Reflection in RustFS S3 Listener
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | to 1.0.0-beta.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability creates a permissive cross-domain policy that allows attackers to perform credentialed cross-origin requests and read sensitive responses if a victim's browser has ambient credentials for the RustFS origin. Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive information access and transmission.
Specifically, the vulnerability could result in unauthorized disclosure of authentication credentials or protected data, undermining confidentiality and potentially leading to non-compliance with standards that mandate secure handling of user credentials and personal data.
To mitigate this risk and maintain compliance, operators must explicitly set the `RUSTFS_CORS_ALLOWED_ORIGINS` environment variable to trusted origins and avoid exposing RustFS endpoints to browsers carrying ambient credentials until the vulnerability is patched.
Can you explain this vulnerability to me?
CVE-2026-46685 is a vulnerability in RustFS, a distributed object storage system. When the environment variable RUSTFS_CORS_ALLOWED_ORIGINS is not set, the RustFS S3 listener reflects any request's Origin header back as the Access-Control-Allow-Origin response header. It also sets Access-Control-Allow-Credentials to true and Access-Control-Allow-Headers to * on all responses, including preflight and error responses.
This creates a permissive cross-domain policy that allows attacker-controlled websites to make credentialed cross-origin requests to a RustFS deployment. If a victim's browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, SSO cookies, or TLS client certificates, the attacker can read the responses from these requests.
The vulnerability is fixed in RustFS version 1.0.0-beta.2 by changing the default behavior to not emit CORS headers when RUSTFS_CORS_ALLOWED_ORIGINS is unset and only allowing credentials when the origin matches an explicit allow-list.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform credentialed cross-origin requests to a RustFS deployment and read sensitive responses if the victim's browser has stored credentials for that RustFS origin.
Such an attack could lead to unauthorized access to protected data stored in RustFS, potentially exposing confidential information or enabling further attacks using the compromised credentials.
Operators who do not set the RUSTFS_CORS_ALLOWED_ORIGINS environment variable and expose RustFS endpoints to browsers with ambient credentials are at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the RustFS S3 listener is reflecting the Origin header back in the Access-Control-Allow-Origin response header and if Access-Control-Allow-Credentials is set to true along with Access-Control-Allow-Headers set to * on responses, including preflight and error responses.
You can use network inspection tools like curl or browser developer tools to send requests with custom Origin headers to the RustFS endpoint and observe the response headers.
- Use curl to send a request with a custom Origin header and check response headers:
- curl -H "Origin: http://example.com" -I https://your-rustfs-endpoint
- Look for Access-Control-Allow-Origin: http://example.com and Access-Control-Allow-Credentials: true in the response headers.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, explicitly set the environment variable RUSTFS_CORS_ALLOWED_ORIGINS to a list of trusted origins. This prevents the RustFS S3 listener from reflecting arbitrary Origin headers and restricts cross-origin requests to trusted domains only.
Additionally, avoid exposing RustFS endpoints to browsers that carry ambient credentials such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates until the system is patched.
The vulnerability is fixed in RustFS version 1.0.0-beta.2, so upgrading to this or a later version is recommended.