CVE-2026-27607
CRITICAL WAF: Medium
CVSS 9.1
Published: 2026-02-25
CWE-20 CWE-863 CWE-863
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
References
- github.com (Vendor Advisory)