{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27607", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-02-25T02:10:28.086Z", "dateUpdated": "2026-02-25T20:06:03.487Z"}, "containers": {"cna": {"title": "RustFS's Missing Post Policy Validation leads to Arbitrary Object Write", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p"}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"version": ">= 1.0.0-alpha.56, < 1.0.0-alpha.83", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T02:10:28.086Z"}, "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue."}], "source": {"advisory": "GHSA-w5fh-f8xh-5x3p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:05:51.123736Z", "id": "CVE-2026-27607", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:06:03.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T20:05:51.123736Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:05:56.899Z"}}], "cna": {"title": "RustFS's Missing Post Policy Validation leads to Arbitrary Object Write", "source": {"advisory": "GHSA-w5fh-f8xh-5x3p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"status": "affected", "version": ">= 1.0.0-alpha.56, < 1.0.0-alpha.83"}]}], "references": [{"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p", "name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T02:10:28.086Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27607", "state": "PUBLISHED", "dateUpdated": "2026-02-25T20:06:03.487Z", "dateReserved": "2026-02-20T19:43:14.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T02:10:28.086Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*", "matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*", "matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*", "matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*", "matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*", "matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*", "matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*", "matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*", "matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*", "matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*", "matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*", "matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*", "matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*", "matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*", "matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*", "matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*", "matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*", "matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*", "matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*", "matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*", "matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*", "matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*", "matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*", "matchCriteriaId": "96461CC0-012C-40D7-B1CB-FF9A6B7EB644", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*", "matchCriteriaId": "9AA7AE2E-83E3-4796-8569-16030DB2CF38", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*", "matchCriteriaId": "73638EAF-BCA6-4BD8-90E5-3A53EFD0FD5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*", "matchCriteriaId": "48BCB4A7-57C5-4FAA-860D-B862947EE352", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*", "matchCriteriaId": "0EA73A06-6AEA-45DF-B819-D25AA9BBEBA7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue."}], "id": "CVE-2026-27607", "lastModified": "2026-02-25T15:37:08.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T03:16:04.787", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0-alpha.56,1.0.0-alpha.83)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rustfs", "source": "cna", "vendor": "rustfs"}, "product": "rustfs", "vendor": "rustfs"}], "analysis": {"en": {"generated_at": "2026-04-17T15:31:54.093862+00:00", "value": {"mitigation_remediation": ["Upgrade to RustFS 1.0.0\u2011alpha.83 or later, where policy validation is correctly enforced.", "If an upgrade cannot be performed immediately, limit the use of presigned POST URLs to trusted clients and enforce stricter policy checks or disable the ability to set arbitrary policies via presigned uploads.", "Monitor upload activity for unusually large files or writes to unexpected keys, and consider network\u2011level controls to throttle or block excessive upload traffic."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Object Write"}, "threat_synthesis": {"affected_systems": "The affected product is RustFS (RustFS rustfs). All releases from 1.0.0\u2011alpha.56 through 1.0.0\u2011alpha.82 are vulnerable. Version 1.0.0\u2011alpha.83 and later contain the fix.", "description_and_impact": "RustFS is a Rust\u2011based distributed object storage system. Between versions 1.0.0\u2011alpha.56 and 1.0.0\u2011alpha.82 the implementation of presigned POST uploads (PostObject) fails to validate policy conditions. This omission allows an attacker to ignore content-length-range, starts-with, and Content-Type restrictions, enabling uploads that exceed the intended size, are stored under arbitrary keys, and carry spoofed content types. As a consequence the attacker may exhaust storage resources, retrieve data that should be restricted, or bypass security controls that rely on these policy constraints.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 8.1 (High). EPSS indicates a very low probability of exploitation (<1%) and the issue is not listed in the CISA KEV catalog. The likely attack surface is remote, as the flaw is triggered via any client that can obtain a presigned POST URL. Exploitation requires only knowledge of the presigned URL, which may be widely shared, so the severity remains high despite the low exploitation likelihood."}}}}, "created": "2026-02-25T11:35:06.385744+00:00", "updated": "2026-04-17T15:45:15.884505+00:00", "vendors": ["rustfs", "rustfs$PRODUCT$rustfs"]}