CVE-2026-27607
📋 TL;DR
This vulnerability in RustFS allows attackers to bypass upload policy restrictions in presigned POST uploads, enabling unauthorized file uploads that exceed size limits, target arbitrary locations, and spoof content types. Systems running RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 are affected. This could lead to storage exhaustion, unauthorized data access, and security control bypasses.
💻 Affected Systems
- RustFS
📦 What is this software?
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
⚠️ Risk & Real-World Impact
Worst Case
Complete storage exhaustion leading to service disruption, unauthorized sensitive data exposure, and bypass of security controls allowing malicious content upload.
Likely Case
Storage abuse through oversized uploads, unauthorized file placement in restricted directories, and content-type spoofing enabling security bypasses.
If Mitigated
Limited impact if external uploads are disabled or strict network controls prevent unauthorized access to presigned POST endpoints.
🎯 Exploit Status
Exploitation requires access to presigned POST upload endpoints but does not require authentication once endpoint is accessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0-alpha.83
Vendor Advisory: https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p
Restart Required: Yes
Instructions:
1. Stop RustFS service. 2. Update to version 1.0.0-alpha.83 or later. 3. Restart RustFS service. 4. Verify policy validation is working.
🔧 Temporary Workarounds
Disable presigned POST uploads
allTemporarily disable PostObject functionality until patching is possible.
Modify RustFS configuration to disable PostObject endpoints
Implement WAF rules
allAdd web application firewall rules to validate upload parameters before reaching RustFS.
Configure WAF to validate Content-Length, Content-Type, and object key patterns
🧯 If You Can't Patch
- Implement strict network ACLs to limit access to presigned POST endpoints
- Deploy rate limiting and upload size monitoring to detect abuse patterns
🔍 How to Verify
Check if Vulnerable:
Check RustFS version: if between 1.0.0-alpha.56 and 1.0.0-alpha.82 and using PostObject functionality, system is vulnerable.Check Version:
rustfs --versionVerify Fix Applied:
Test presigned POST uploads with policy violations; they should be rejected after patching.📡 Detection & Monitoring
Log Indicators:
- Uploads exceeding policy size limits
- Uploads to unexpected object key patterns
- Content-Type mismatches in upload logs
Network Indicators:
- Unusually large POST requests to upload endpoints
- Multiple failed policy validation attempts
SIEM Query:
source="rustfs" AND (upload_size > policy_limit OR object_key NOT LIKE expected_pattern*)