CVE-2026-27607 Overview
RustFS, a distributed object storage system built in Rust, contains a critical authorization bypass vulnerability in its presigned POST upload (PostObject) functionality. In affected versions, RustFS fails to validate policy conditions in presigned POST uploads, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses.
Critical Impact
Attackers can bypass all policy constraints in presigned POST uploads, enabling storage exhaustion attacks, unauthorized data placement, and security control circumvention in distributed storage environments.
Affected Products
- RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82
- All deployments using presigned POST upload functionality
- Cloud-native and on-premises RustFS object storage installations
Discovery Timeline
- 2026-02-25 - CVE-2026-27607 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27607
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) and incorrect authorization (CWE-863) in RustFS's PostObject implementation. Presigned POST uploads in S3-compatible storage systems rely on policy documents that define constraints for uploads—including size limits, allowed key prefixes, and content types. The vulnerable RustFS versions fail to enforce these policy conditions, rendering all constraint-based security controls ineffective.
When a presigned POST URL is generated, the server should validate that incoming upload requests comply with the embedded policy conditions. The affected RustFS versions accept the policy but do not verify that the actual upload parameters match the specified constraints. This allows an attacker with access to a presigned URL to upload files that violate every policy restriction.
Root Cause
The root cause is a missing validation step in the PostObject request handler. When processing multipart form data uploads through presigned POST URLs, RustFS parses the policy document but fails to execute the condition verification logic. The content-length-range condition that should enforce minimum and maximum file sizes is not checked, the starts-with condition for key prefix validation is ignored, and Content-Type restrictions are not enforced against the actual uploaded content.
Attack Vector
An attacker can exploit this vulnerability remotely without authentication by obtaining or intercepting a legitimate presigned POST URL. The attack requires network access to the RustFS endpoint and knowledge of a valid presigned POST URL structure.
The exploitation process involves crafting malicious upload requests that violate policy constraints. For storage exhaustion, an attacker could upload extremely large files despite content-length-range restrictions. For unauthorized data access, uploads could be placed at arbitrary object keys, potentially overwriting existing objects or accessing restricted bucket paths. For security bypasses, malicious content types could be uploaded to evade security scanning or content filtering based on MIME type.
This vulnerability is particularly dangerous in multi-tenant environments where presigned URLs are distributed to untrusted clients with the expectation that policy constraints will be enforced server-side.
Detection Methods for CVE-2026-27607
Indicators of Compromise
- Unexpected large file uploads that exceed configured size limits in storage monitoring
- Objects created with keys that do not match expected presigned URL patterns
- Anomalous Content-Type headers in uploaded objects that differ from policy constraints
- Rapid storage consumption or quota exhaustion events
Detection Strategies
- Monitor PostObject API calls and compare actual upload sizes against expected policy limits
- Implement alerting on object key patterns that deviate from application-defined prefixes
- Audit storage bucket access logs for uploads with mismatched Content-Type headers
- Deploy application-layer firewalls to inspect presigned POST request compliance
Monitoring Recommendations
- Enable detailed access logging for all RustFS buckets using presigned POST functionality
- Configure storage quota alerts to detect rapid consumption indicative of storage exhaustion attacks
- Implement real-time monitoring of object creation events with metadata validation
- Review presigned URL generation patterns and distribution channels for potential exposure
How to Mitigate CVE-2026-27607
Immediate Actions Required
- Upgrade RustFS to version 1.0.0-alpha.83 or later immediately
- Audit existing storage buckets for unauthorized or oversized objects uploaded during the vulnerable period
- Revoke and regenerate all active presigned POST URLs after applying the patch
- Review access logs for signs of exploitation prior to patching
Patch Information
The vulnerability is fixed in RustFS version 1.0.0-alpha.83. Organizations should update to this version or later to ensure presigned POST policy conditions are properly validated. The security advisory is available at the RustFS GitHub Security Advisory.
Workarounds
- Disable presigned POST upload functionality if not critical to operations until patching is possible
- Implement network-level access controls to restrict PostObject endpoint access to trusted sources
- Deploy a reverse proxy with custom validation logic to enforce policy constraints at the network edge
- Use alternative upload methods such as presigned PUT URLs which may not be affected by this specific vulnerability
# Verify RustFS version and upgrade
rustfs --version
# If version is between 1.0.0-alpha.56 and 1.0.0-alpha.82, upgrade immediately
# Example upgrade command (adjust based on deployment method)
cargo install rustfs --version ">=1.0.0-alpha.83"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
