CVE

CVE-2026-27607

RustFS's Missing Post Policy Validation leads to Arbitrary Object Write

CVE

CVE-2026-27607

RustFS's Missing Post Policy Validation leads to Arbitrary Object Write

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.1

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27607.json, https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p, https://nvd.nist.gov/vuln/detail/CVE-2026-27607

Severity

8.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.1

EPSS Probability

0.00122%

EPSS Percentile

0.30778%

Introduced Version

3f717292bf69a6cf5fffa0e41253fd1ce08ec5cb

Fix Available

9824171995b58da071c18b5243299bc69e6ec4a7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-27607

CVE-2026-27607

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

8.1

Basic Information

Fix Critical Vulnerabilities Instantly