CVE-2026-27607 Rustfs — Exploit & Vulnerability Details CRITICAL

Parameter	Value
CVSS	9.1 (CRITICAL)
Type	CWE-863 (Incorrect Authorization), CWE-20 (Improper Input Validation)
Vendor	Rustfs
Public PoC	No

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses.

Version 1.0.0-alpha.83 fixes the issue.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-863 Incorrect Authorization

CWE-20 Improper Input Validation

Vulnerable Products 27

Configuration	From (including)	Up to (excluding)
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81::::rust::*	—	—
Rustfs Rustfs cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82::::rust::*	—	—

References 1

https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39360

Rustfs

5.3

CVE-2026-27822

Rustfs

5.4

CVE-2026-22782

Rustfs

2.9

CVE-2026-22043

Rustfs

5.7

CVE-2026-22042

Rustfs

5.7

Menu

CVE-2026-27607

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 27

References 1

Related Vulnerabilities

CVE-2026-39360

CVE-2026-27822

CVE-2026-22782

CVE-2026-22043

CVE-2026-22042

CVE Details

Editor's Choice

Menu

CVE-2026-27607

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 27

References 1

Related Vulnerabilities

CVE-2026-39360

CVE-2026-27822

CVE-2026-22782

CVE-2026-22043

CVE-2026-22042

CVE Details

Editor's Choice

Stay informed on cybersecurity