RustFS CVE-2026-27607 Missing Post Policy Validation Arbitrary Object Write

Critical Vulnerability Information Vulnerability Title Missing Post Policy Validation Leads to Arbitrary Object Write Identification CVE ID: CVE-2026-27607 GitHub Advisor: GHSA-w5fh-f8xh-5x3p Vulnerability Description RustFS fails to validate policy conditions on presigned POST uploads (PostObject), allowing attackers to bypass constraints regarding content length ranges, string prefixes, and Content-Type. This leads to unauthorized file uploads exceeding size limits, uploading arbitrary object keys, and Content-Type spoofing, potentially resulting in storage exhaustion, unauthorized data access, and security bypasses. Vulnerability Details RustFS contains a vulnerability in the implementation of the PostObject endpoint where presigned policy conditions are neither parsed nor validated. Impact Vulnerability Type: Incorrect Input Validation / Privilege Bypass (CWE-20, CWE-863) Affected Applications: Applications using RustFS as an S3-compatible backend that rely on presigned POST policy conditions for access control or upload restrictions. Attack Scenarios 1. Storage Exhaustion / Denial of Service: Uploading arbitrarily large files causes disk saturation and service downtime. 2. Unauthorized Data Access/Modification: Uploading files to controlled paths, such as overwriting configuration files. 3. Content-Type Spoofing: Bypassing Content-Type restrictions to serve malicious content, such as HTML/JavaScript files. If the service only accepts images, this could lead to XSS attacks. Severity High severity; allows complete bypass of upload constraints enforced by the service, compromising the security model relied upon by the application. CVSSv3 Base Vector Severity: High (8.1/10) Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High Fixed Versions Affected: 1.0.0-alpha.56 through 1.0.0-alpha.82 Fixed: alpha.83

Goal Reached Thanks to every supporter — we hit 100%!

RustFS CVE-2026-27607 Missing Post Policy Validation Arbitrary Object Write

More from this source