Cyber Posture

CVE-2026-27607

High

Published: 25 February 2026

Published
25 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0012 30.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads…

more

exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of inputs like content-length-range, starts-with, and Content-Type in presigned POST uploads to prevent bypass of policy constraints.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations and policy conditions in presigned URLs to block unauthorized uploads to arbitrary object keys and content-type spoofing.

SI-2 Flaw Remediation good match
prevent

Requires timely identification and patching of flaws like the policy validation failure fixed in RustFS version 1.0.0-alpha.83.

Security SummaryAI

CVE-2026-27607 affects RustFS, a distributed object storage system built in Rust, specifically in versions 1.0.0-alpha.56 through 1.0.0-alpha.82. The vulnerability stems from a failure to validate policy conditions in presigned POST uploads via the PostObject operation, enabling attackers to bypass constraints on content-length-range, starts-with, and Content-Type. This improper input validation (CWE-20) and incorrect authorization (CWE-863) allows unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and was published on 2026-02-25.

Attackers with low privileges, such as authenticated users able to obtain presigned POST URLs, can exploit this over the network with low complexity and no user interaction. Successful exploitation enables storage exhaustion through oversized uploads, unauthorized data access by writing to arbitrary object keys, security bypasses via content-type spoofing, and potential integrity violations, aligning with the high impact on integrity (I:H) and availability (A:H).

The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p details the issue and confirms that upgrading to version 1.0.0-alpha.83 resolves the vulnerability by properly enforcing policy conditions in presigned POST uploads. Security practitioners should prioritize patching affected RustFS deployments to mitigate these risks.

Details

CWE(s)
CWE-20CWE-863

Affected Products

rustfs
rustfs
1.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Vulnerability enables exploitation of remote object storage service (T1210) via presigned POST bypass, facilitating oversized uploads for endpoint DoS through application exploitation (T1499.004) and unauthorized writes to arbitrary keys for stored data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References