CVE-2026-46685
Deferred Deferred - Pending Action
Origin Reflection in RustFS S3 Listener

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46685
EUVD
EUVD-2026-32999
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rustfs rustfs to 1.0.0-beta.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46685 is a vulnerability in RustFS, a distributed object storage system. When the environment variable RUSTFS_CORS_ALLOWED_ORIGINS is not set, the RustFS S3 listener reflects any request's Origin header back as the Access-Control-Allow-Origin response header. It also sets Access-Control-Allow-Credentials to true and Access-Control-Allow-Headers to * on all responses, including preflight and error responses.

This creates a permissive cross-domain policy that allows attacker-controlled websites to make credentialed cross-origin requests to a RustFS deployment. If a victim's browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, SSO cookies, or TLS client certificates, the attacker can read the responses from these requests.

The vulnerability is fixed in RustFS version 1.0.0-beta.2 by changing the default behavior to not emit CORS headers when RUSTFS_CORS_ALLOWED_ORIGINS is unset and only allowing credentials when the origin matches an explicit allow-list.

Impact Analysis

This vulnerability can allow attackers to perform credentialed cross-origin requests to a RustFS deployment and read sensitive responses if the victim's browser has stored credentials for that RustFS origin.

Such an attack could lead to unauthorized access to protected data stored in RustFS, potentially exposing confidential information or enabling further attacks using the compromised credentials.

Operators who do not set the RUSTFS_CORS_ALLOWED_ORIGINS environment variable and expose RustFS endpoints to browsers with ambient credentials are at risk.

Detection Guidance

This vulnerability can be detected by checking if the RustFS S3 listener is reflecting the Origin header back in the Access-Control-Allow-Origin response header and if Access-Control-Allow-Credentials is set to true along with Access-Control-Allow-Headers set to * on responses, including preflight and error responses.

You can use network inspection tools like curl or browser developer tools to send requests with custom Origin headers to the RustFS endpoint and observe the response headers.

  • Use curl to send a request with a custom Origin header and check response headers:
  • curl -H "Origin: http://example.com" -I https://your-rustfs-endpoint
  • Look for Access-Control-Allow-Origin: http://example.com and Access-Control-Allow-Credentials: true in the response headers.
Mitigation Strategies

To mitigate this vulnerability immediately, explicitly set the environment variable RUSTFS_CORS_ALLOWED_ORIGINS to a list of trusted origins. This prevents the RustFS S3 listener from reflecting arbitrary Origin headers and restricts cross-origin requests to trusted domains only.

Additionally, avoid exposing RustFS endpoints to browsers that carry ambient credentials such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates until the system is patched.

The vulnerability is fixed in RustFS version 1.0.0-beta.2, so upgrading to this or a later version is recommended.

Compliance Impact

This vulnerability creates a permissive cross-domain policy that allows attackers to perform credentialed cross-origin requests and read sensitive responses if a victim's browser has ambient credentials for the RustFS origin. Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive information access and transmission.

Specifically, the vulnerability could result in unauthorized disclosure of authentication credentials or protected data, undermining confidentiality and potentially leading to non-compliance with standards that mandate secure handling of user credentials and personal data.

To mitigate this risk and maintain compliance, operators must explicitly set the `RUSTFS_CORS_ALLOWED_ORIGINS` environment variable to trusted origins and avoid exposing RustFS endpoints to browsers carrying ambient credentials until the vulnerability is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart