{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39360", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-07T18:58:29.974Z", "dateUpdated": "2026-04-07T19:28:22.541Z"}, "containers": {"cna": {"title": "RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98"}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"version": "< alpha.90", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:58:29.974Z"}, "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90."}], "source": {"advisory": "GHSA-mx42-j6wv-px98", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:28:14.077610Z", "id": "CVE-2026-39360", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:28:22.541Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39360", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T19:28:14.077610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:28:18.251Z"}}], "cna": {"title": "RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration", "source": {"advisory": "GHSA-mx42-j6wv-px98", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"status": "affected", "version": "< alpha.90"}]}], "references": [{"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98", "name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:58:29.974Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39360", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:28:22.541Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T18:58:29.974Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*", "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*", "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*", "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*", "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha2:*:*:*:rust:*:*", "matchCriteriaId": "550786BD-A6A4-454B-BDAB-67AE64DABCA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*", "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*", "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*", "matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*", "matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*", "matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha27:*:*:*:rust:*:*", "matchCriteriaId": "C2D66076-4005-4F58-A8E2-69062053D786", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha28:*:*:*:rust:*:*", "matchCriteriaId": "1D8CB0F5-299F-4BB0-B264-F5642DD991C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha29:*:*:*:rust:*:*", "matchCriteriaId": "96E20418-FE0C-4202-8771-FFF8EBB1B62D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha3:*:*:*:rust:*:*", "matchCriteriaId": "C16A625B-3FC4-48EB-9107-6E7585080D15", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha30:*:*:*:rust:*:*", "matchCriteriaId": "810A17F9-AEEA-4396-B437-120789BBE882", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha31:*:*:*:rust:*:*", "matchCriteriaId": "7B1FECD4-E993-417D-AEA7-F8E97DC6A5FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha32:*:*:*:rust:*:*", "matchCriteriaId": "3839F299-E0E7-4994-A8AC-B67A534C9847", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha33:*:*:*:rust:*:*", "matchCriteriaId": "46CAEA4E-5DFD-4668-ABF0-DC53EB04EE7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha34:*:*:*:rust:*:*", "matchCriteriaId": "591075AB-81EF-4D42-A2A0-FA28BC6B78CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha35:*:*:*:rust:*:*", "matchCriteriaId": "FD46ED07-6DCC-4BF8-A4E8-78B2FF6DCE4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha36:*:*:*:rust:*:*", "matchCriteriaId": "6DF15533-D6E1-49B0-B30A-6FEECC7AE06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha37:*:*:*:rust:*:*", "matchCriteriaId": "EC68F03A-D299-4BFB-A99E-4B08E4E0848F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha38:*:*:*:rust:*:*", "matchCriteriaId": "0DD60024-CAB2-4DA6-A9CA-503D2631E98B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha39:*:*:*:rust:*:*", "matchCriteriaId": "32470ED0-7873-41A3-B2D5-7CD444ED0A45", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha4:*:*:*:rust:*:*", "matchCriteriaId": "A88E9293-4B7C-4C52-9943-47197DB55D59", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha40:*:*:*:rust:*:*", "matchCriteriaId": "E2EFC74D-40E7-426C-9F7B-3B654F2B940F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha41:*:*:*:rust:*:*", "matchCriteriaId": "EAAF504E-51A5-492B-887E-BB67788B899C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha42:*:*:*:rust:*:*", "matchCriteriaId": "35C83244-D2C7-4D70-9C0B-D0590B00C608", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha43:*:*:*:rust:*:*", "matchCriteriaId": "429E4ECD-997A-4D3B-9DE2-60835AE14473", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha44:*:*:*:rust:*:*", "matchCriteriaId": "5DDDBAA5-D207-498C-A6F0-79F07806C511", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha45:*:*:*:rust:*:*", "matchCriteriaId": "81758B85-6D2B-4914-96EC-E4CCDE2F9A52", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha46:*:*:*:rust:*:*", "matchCriteriaId": "D439B484-E32D-4A6A-84EE-9307A028F736", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha47:*:*:*:rust:*:*", "matchCriteriaId": "FDA137F7-DC8A-44F4-8061-F502AC8DD7BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha48:*:*:*:rust:*:*", "matchCriteriaId": "AE3EF7B3-E8C0-4844-9165-3A26EB426615", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha49:*:*:*:rust:*:*", "matchCriteriaId": "EB40D926-AE20-46A7-9B6E-ED1BADB9A08B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha5:*:*:*:rust:*:*", "matchCriteriaId": "7F5E8DE5-ABB0-4884-B473-07FA596A8707", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha50:*:*:*:rust:*:*", "matchCriteriaId": "3A43A950-59A6-4343-815A-953C11DC3F13", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha51:*:*:*:rust:*:*", "matchCriteriaId": "87B36190-C30B-45BC-9738-BE0B3321025D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha52:*:*:*:rust:*:*", "matchCriteriaId": "86A2967C-E2C6-4C73-9BDE-CCECACDB2B02", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha53:*:*:*:rust:*:*", "matchCriteriaId": "5E10A654-E265-4469-8099-ABBB1F5D8BCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha54:*:*:*:rust:*:*", "matchCriteriaId": "762591A8-A0A2-45D2-B15F-1E85DFC5CA86", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha55:*:*:*:rust:*:*", "matchCriteriaId": "53DE196C-1914-40AE-854D-4988073D57C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*", "matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*", "matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*", "matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*", "matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha6:*:*:*:rust:*:*", "matchCriteriaId": "2B55C391-0232-4F06-A9D8-3663FA564E81", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*", "matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*", "matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*", "matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*", "matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*", "matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*", "matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*", "matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*", "matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*", "matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*", "matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha7:*:*:*:rust:*:*", "matchCriteriaId": "54AB158B-F536-4627-8C6B-65AEE112FDF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*", "matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*", "matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*", "matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*", "matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*", "matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*", "matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*", "matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*", "matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*", "matchCriteriaId": "96461CC0-012C-40D7-B1CB-FF9A6B7EB644", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*", "matchCriteriaId": "9AA7AE2E-83E3-4796-8569-16030DB2CF38", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha8:*:*:*:rust:*:*", "matchCriteriaId": "F800AEB3-3AD7-42D8-BC3A-23703851435B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*", "matchCriteriaId": "73638EAF-BCA6-4BD8-90E5-3A53EFD0FD5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*", "matchCriteriaId": "48BCB4A7-57C5-4FAA-860D-B862947EE352", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*", "matchCriteriaId": "0EA73A06-6AEA-45DF-B819-D25AA9BBEBA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha83:*:*:*:rust:*:*", "matchCriteriaId": "A82C642A-14DD-4D6E-920F-BF05CEA173AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha84:*:*:*:rust:*:*", "matchCriteriaId": "CA33A8E8-C07B-46F1-81CB-D61429EDDBFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha85:*:*:*:rust:*:*", "matchCriteriaId": "2178E577-606B-4ABA-B747-4584F444B235", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha86:*:*:*:rust:*:*", "matchCriteriaId": "77E9B4E9-2828-458A-8086-24A1E3ECCA1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha87:*:*:*:rust:*:*", "matchCriteriaId": "83DF75E6-D5A9-4CCF-9580-D10BDFB9DAC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha88:*:*:*:rust:*:*", "matchCriteriaId": "0DAE6A6F-4CFE-4D5B-981B-18212A654EF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha89:*:*:*:rust:*:*", "matchCriteriaId": "B2762E72-9390-48A7-AD63-0EB7510442DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha9:*:*:*:rust:*:*", "matchCriteriaId": "5821FADC-CF73-4639-911A-F3302D239B7C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90."}], "id": "CVE-2026-39360", "lastModified": "2026-04-10T19:03:17.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T19:16:46.673", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,alpha.90)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rustfs", "source": "cna", "vendor": "rustfs"}, "product": "rustfs", "vendor": "rustfs"}], "analysis": {"en": {"generated_at": "2026-04-10T20:29:51.711107+00:00", "value": {"mitigation_remediation": ["Update RustFS to version alpha.90 or later.", "Verify that no low\u2011privileged users retain multipart upload permissions beyond what is needed for legitimate use.", "Monitor for anomalous multipart uploads and review access controls to ensure isolation between tenants."], "summary": {"action": "Apply Patch", "impact": "Unauthorized data exfiltration via multipart copy"}, "threat_synthesis": {"affected_systems": "The issue affects the RustFS distributed object storage system. All releases from the initial alpha release up through alpha.89 are vulnerable; the fix begins at alpha.90. The affected product is rustfs:rustfs, and the relevant CPE entries represent each alpha milestone up to alpha.89.", "description_and_impact": "RustFS\u2019s multipart copy API (UploadPartCopy) lacks an authorization check in versions before alpha.90. As a result, a user with only low privileges\u2014who normally cannot read objects from another bucket\u2014can copy victim objects into a multipart upload controlled by the attacker and then complete the upload. This flaw allows the attacker to retrieve data from a target bucket without needing read permissions, effectively breaking tenant isolation in multi\u2011tenant deployments. The vulnerability ultimately enables a user to exfiltrate confidential data from another user\u2019s bucket.", "risk_and_exploitability": "The CVSS base score of 5.3 classifies the flaw as medium severity. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would trigger the exploit via the REST API, sending an UploadPartCopy request from a low\u2011privilege account to a victim bucket. The scope of the impact is confined to data exfiltration from affected buckets, but it represents a significant breach of isolation in multi\u2011tenant environments. Given its medium score and low exploitation probability, the risk is moderate, but organizations with sensitive data are advised to remediate promptly."}}}}, "created": "2026-04-08T19:34:52.216646+00:00", "updated": "2026-04-13T14:26:19.313200+00:00", "vendors": ["rustfs", "rustfs$PRODUCT$rustfs"]}