GHSA-mx42-j6wv-px98
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mx42-j6wv-px98
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mx42-j6wv-px98/GHSA-mx42-j6wv-px98.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mx42-j6wv-px98
- Aliases
-
- CVE-2026-39360
- Published
- 2026-04-08T00:15:50Z
- Modified
- 2026-04-08T00:42:40.124247Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration
- Details
-
RustFS contains a missing authorization check in the multipart copy path (
UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload.This breaks tenant isolation in multi-user / multi-tenant deployments.
Impact
Unauthorized cross-bucket / cross-tenant data exfiltration (Confidentiality: High).
An attacker with only minimal permissions on their own bucket (multipart upload + Put/Get on destination objects) can copy and retrieve objects from a victim bucket without having
s3:GetObject(or equivalent) permission on the source.In the attached PoC, the attacker successfully exfiltrates a 5MB private object and proves integrity via matching SHA256 and size.
Threat Model (Realistic)
- Victim tenant/user owns a bucket (e.g.,
victim-bucket-*) and stores private objects (e.g.,private/finance_dump.bin). - Attacker tenant/user has no permissions on the victim bucket:
- cannot
ListObjects,HeadObject,GetObject, orCopyObjectfrom the victim bucket.
- cannot
- Attacker has minimal permissions only on attacker bucket:
CreateMultipartUpload,UploadPart,UploadPartCopy,CompleteMultipartUpload,AbortMultipartUpload,- and
PutObject/GetObjectfor objects in attacker bucket.
- Despite this, attacker can exfiltrate victim objects via multipart copy.
Root Cause Analysis
The access control layer fails open for multipart copy-related operations:
File:
rustfs/src/storage/access.rs-abort_multipart_upload()returnsOk(())without authorization (L435–437) -complete_multipart_upload()returnsOk(())without authorization (L442–444) -upload_part_copy()returnsOk(())without authorization (L1446–1448)In contrast,
copy_object()correctly enforces authorization: - sourceGetObjectauthorization (L469) - destinationPutObjectauthorization (L478)The multipart copy implementation reads the source object directly:
File:
rustfs/src/app/multipart_usecase.rs-store.get_object_reader(&src_bucket, &src_key, ...)(L959–962)Because
upload_part_copy()does not enforce sourceGetObjectauthorization, the server reads and copies victim data even when the requester lacks permission.Affected Versions
- Tested vulnerable on:
main@c1d5106acc3480c275a52344df84633bb6dcd8f0 - Git describe:
1.0.0-alpha.86-3-gc1d5106a
The fail-open authorization behavior for
UploadPartCopywas introduced in: - Commit:09ea11c13(pergit blameonrustfs/src/storage/access.rs:1443-1448)Affected range (recommended wording): - All versions from commit
09ea11c13throughc1d5106acc3480c275a52344df84633bb6dcd8f0(and likely any releases containing those commits) until a fix is applied.Package version (Cargo metadata)
rustfscrate version in this tree: 0.0.5 (cargo metadata)
Proof of Concept (PoC) – Real Commands + Verified Results
Files
Place the PoC script at the repository root:
- PoC script:
poc_uploadpartcopy_exfil_v3.sh - Captured output:
poc_v3_output.txt - (Optional) Redacted debug log:
upload_part_copy_debug_redacted.log(Authorization/signature redacted)
Environment
RustFS running locally (Docker is simplest), listening on:
http://127.0.0.1:9000
Tools: -
awscli,jq,awscurlSteps to Reproduce
1) Start RustFS (example):
docker compose -f docker-compose-simple.yml up -d- Run the PoC and save output:
chmod +x poc_uploadpartcopy_exfil_v3.sh ./poc_uploadpartcopy_exfil_v3.sh | tee poc_v3_output.txtAttachments
Expected Behavior
Attacker operations against victim bucket should be denied:
ListObjects-> AccessDeniedHeadObject-> AccessDeniedGetObject-> AccessDeniedCopyObject-> AccessDenied
UploadPartCopyfrom victim -> attacker multipart should also be denied.
Actual Behavior
- All direct operations against victim are denied (as expected),
- but
UploadPartCopysucceeds, and attacker retrieves the copied object from attacker bucket.
Observed PoC Output
Victim uploads a private object:
- size:
5,242,880bytes - sha256:
fda018db1da9d8f4c1b287c75943384a3b4ede391ec156039b6d94e17d6ad68f
Attacker exfiltrates it via multipart copy:
- stolen size:
5,242,880bytes - stolen sha256:
fda018db1da9d8f4c1b287c75943384a3b4ede391ec156039b6d94e17d6ad68f
Proof:
- hashes and sizes match (victim == stolen) -> unauthorized cross-bucket read confirmed.
Network Evidence (Redacted)
The debug log shows a successful request with:
- HTTP method:
PUT - destination:
/<attacker-bucket>/<dst-key>?partNumber=1&uploadId=... - header:
x-amz-copy-source: <victim-bucket>/private/finance_dump.bin - response:
HTTP/1.1 200with<CopyPartResult><ETag>...</ETag>...</CopyPartResult>
Fix
Implement authorization checks equivalent to
copy_object()for multipart copy paths:upload_part_copy:- enforce source
GetObjectauthorization onx-amz-copy-source - enforce destination
PutObjectauthorization on the target object - (recommended) apply the same tag-condition enforcement used by
copy_object()on the source.
- enforce source
complete_multipart_upload:- enforce destination
PutObjectauthorization
- enforce destination
abort_multipart_upload:- enforce appropriate multipart permission (or destination
PutObjectas a safe boundary)
- enforce appropriate multipart permission (or destination
- Victim tenant/user owns a bucket (e.g.,
- Database specific
{ "cwe_ids": [ "CWE-862" ], "nvd_published_at": "2026-04-07T19:16:46Z", "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-04-08T00:15:50Z" }- References
Affected packages
crates.io / rustfs
Package
- Name
- rustfs
- View open source insights on deps.dev
- Purl
- pkg:cargo/rustfs