CVE-2026-39360 Overview
CVE-2026-39360 is a missing authorization vulnerability in RustFS, a distributed object storage system built in Rust. Prior to version alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). This flaw allows a low-privileged user who cannot read objects from a victim bucket to still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This vulnerability breaks tenant isolation in multi-user and multi-tenant deployments.
Critical Impact
Low-privileged attackers can bypass access controls to exfiltrate data from buckets they should not have access to, breaking tenant isolation in shared environments.
Affected Products
- RustFS versions prior to alpha.90
Discovery Timeline
- 2026-04-07 - CVE-2026-39360 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39360
Vulnerability Analysis
This vulnerability stems from CWE-862 (Missing Authorization), a critical access control flaw where the application fails to perform necessary authorization checks before granting access to a protected resource. In the context of RustFS, the multipart copy functionality (UploadPartCopy) does not properly verify that the requesting user has read permissions on the source object before allowing the copy operation to proceed.
The attack exploits a gap between the authorization model for direct object access and the authorization model for multipart upload operations. While RustFS correctly enforces read permissions when users attempt to directly access objects via standard GET operations, the UploadPartCopy endpoint bypasses these checks. This creates an authorization bypass that allows data exfiltration without triggering normal access controls.
Root Cause
The root cause is a missing authorization check in the UploadPartCopy code path. When a user initiates a multipart upload and uses the copy functionality to add parts from other buckets, the system fails to validate whether the requesting user has the necessary read permissions on the source bucket and object. The authorization logic only verifies write permissions to the destination bucket (which the attacker controls) but neglects to check read permissions on the source object being copied.
Attack Vector
An attacker exploits this vulnerability through a network-based attack requiring low privileges (authenticated access to the RustFS system). The attack flow proceeds as follows:
- The attacker authenticates to RustFS with low-privilege credentials that grant write access to at least one bucket
- The attacker initiates a multipart upload to their own controlled bucket
- Using the UploadPartCopy operation, the attacker specifies a source object from a victim's bucket
- RustFS copies the data without checking if the attacker has read permissions on the source
- The attacker completes the multipart upload, gaining full access to the exfiltrated data
This attack is particularly dangerous in multi-tenant environments where bucket isolation is critical for security. The vulnerability requires no user interaction and can be executed with low attack complexity. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-39360
Indicators of Compromise
- Multipart uploads with UploadPartCopy operations where the source bucket differs from the destination bucket
- Cross-bucket copy operations initiated by users without read permissions on the source bucket
- Unusual patterns of multipart uploads targeting objects owned by other tenants
- Audit log entries showing UploadPartCopy requests that bypass normal access control logs
Detection Strategies
- Implement monitoring for UploadPartCopy API calls that reference cross-tenant or cross-bucket sources
- Deploy behavioral analytics to detect users accessing objects they have never legitimately accessed before
- Enable verbose logging for all multipart upload operations including source object references
- Create alerts for multipart uploads that complete with parts copied from multiple different source buckets
Monitoring Recommendations
- Review RustFS access logs for anomalous UploadPartCopy operations
- Monitor for spikes in multipart upload activity, particularly involving cross-bucket references
- Implement real-time alerting for any authorization failures followed by successful copy operations
- Audit tenant boundaries regularly to identify potential data exfiltration patterns
How to Mitigate CVE-2026-39360
Immediate Actions Required
- Upgrade RustFS to version alpha.90 or later immediately
- Audit multipart upload logs for any suspicious cross-bucket copy operations
- Review tenant data for signs of unauthorized access or exfiltration
- Temporarily disable the UploadPartCopy functionality if upgrade is not immediately possible
Patch Information
The vulnerability has been fixed in RustFS version alpha.90. Organizations running affected versions should upgrade immediately. The fix ensures that proper authorization checks are performed on the source object during UploadPartCopy operations, verifying that the requesting user has read permissions before allowing the copy to proceed. For more information, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to the UploadPartCopy API endpoint at the network or reverse proxy level
- Implement additional authorization middleware to validate source object permissions before forwarding requests
- Isolate tenant workloads to separate RustFS instances if possible until patching is complete
- Enable enhanced logging and monitoring to detect exploitation attempts
# Example: Restrict UploadPartCopy at reverse proxy level (nginx)
# Add to location block handling RustFS API requests
location /api/v1/ {
# Block UploadPartCopy requests until patch is applied
if ($request_uri ~* "uploadPartCopy") {
return 403;
}
proxy_pass http://rustfs_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
