CVE-2026-27607
- Source
- https://cve.org/CVERecord?id=CVE-2026-27607
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27607.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27607
- Aliases
- Published
- 2026-02-25T02:10:28.086Z
- Modified
- 2026-03-03T02:56:34.343904Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
- Details
-
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27607.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-20", "CWE-863" ] }- References
Affected packages
Git / github.com/rustfs/rustfs
Affected versions
1.*
1.0.0-alpha.56
1.0.0-alpha.57
1.0.0-alpha.58
1.0.0-alpha.59
1.0.0-alpha.60
1.0.0-alpha.61
1.0.0-alpha.62
1.0.0-alpha.63
1.0.0-alpha.64
1.0.0-alpha.65
1.0.0-alpha.66
1.0.0-alpha.67
1.0.0-alpha.68
1.0.0-alpha.69
1.0.0-alpha.70
1.0.0-alpha.71
1.0.0-alpha.72
1.0.0-alpha.73
1.0.0-alpha.74
1.0.0-alpha.75
1.0.0-alpha.76
1.0.0-alpha.77
1.0.0-alpha.78
1.0.0-alpha.79
1.0.0-alpha.80
1.0.0-alpha.81
1.0.0-alpha.82