Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-62378

CVE-2026-62378: RustFS Console XSS Vulnerability

CVE-2026-62378 is a stored XSS vulnerability in RustFS Console that allows attackers to expose administrator credentials through malicious PDF files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-62378 Overview

CVE-2026-62378 is a stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console, the web management interface for the RustFS distributed file system. The flaw affects versions 0.1.7 through 0.1.9 and stems from an extension-based PDF preview path in components/object/preview-modal.tsx and components/object/pdf-viewer.tsx. Attackers can upload HTML content with a .pdf extension, which the console renders as HTML rather than treating as a PDF. This vulnerability is a regression of CVE-2026-27822 and is classified under [CWE-79]. RustFS released a fix in version 0.1.10.

Critical Impact

Successful exploitation enables stored XSS in the management console, exposing administrator AccessKeyId, SecretAccessKey, and SessionToken values to attackers.

Affected Products

  • RustFS Console 0.1.7
  • RustFS Console 0.1.8
  • RustFS Console 0.1.9

Discovery Timeline

  • 2026-07-15 - CVE-2026-62378 published to NVD
  • 2026-07-15 - Last updated in NVD database

Technical Details for CVE-2026-62378

Vulnerability Analysis

The RustFS Console determines how to preview an uploaded object by inspecting either its declared content type or its filename extension. The PDF preview path accepts any object whose key ends in .pdf, regardless of the actual MIME type. When an attacker uploads an HTML file renamed with a .pdf extension, the console renders that content inside an active browser context. The rendered HTML executes arbitrary JavaScript with the same privileges as the authenticated console user. This behavior reintroduces the flaw originally tracked as CVE-2026-27822.

Root Cause

The root cause is insufficient content-type validation in the isPdfPreview helper. The function accepted either application/pdf or a .pdf filename suffix, allowing extension spoofing to bypass safe-rendering logic. Because the console does not sanitize or sandbox the object content before rendering, HTML and script tags execute in the console origin.

Attack Vector

An authenticated user with upload permissions places a crafted HTML payload into a bucket using a .pdf filename. When an administrator opens the object preview in the console, the payload executes and can exfiltrate the administrator's temporary credentials from browser memory or session storage. The exposed AccessKeyId, SecretAccessKey, and SessionToken grant the attacker administrative access to the RustFS deployment.

text
   return canRenderText ? "text" : "sandbox"
 }
 
-function isPdfPreview(contentType: string, objectKey: string) {
-  const keyLower = objectKey.toLowerCase()
-  return contentType === "application/pdf" || keyLower.endsWith(".pdf")
+function isPdfPreview(contentType: string) {
+  return contentType === "application/pdf"
 }
 
 function isParquetPreview(contentType: string, objectKey: string) {

Source: RustFS Console patch commit 49630dc

The patch removes the filename extension check, requiring the object to declare the application/pdf content type before the PDF preview path renders it.

Detection Methods for CVE-2026-62378

Indicators of Compromise

  • Objects uploaded with a .pdf extension whose stored content type is not application/pdf.
  • Objects with .pdf filenames whose byte content begins with <html, <script, or other HTML markers.
  • Unexpected outbound requests from administrator browser sessions immediately after opening a PDF preview.
  • Reuse of administrator AccessKeyId values from unfamiliar client IPs or user agents.

Detection Strategies

  • Inspect RustFS bucket contents for objects whose file extension does not match the actual content type detected by magic-byte analysis.
  • Correlate console preview activity with subsequent API calls that use administrator credentials from new source addresses.
  • Enable Content Security Policy (CSP) reporting in the console to surface inline script execution originating from preview iframes.

Monitoring Recommendations

  • Alert on any use of administrative AccessKeyId credentials outside expected IP ranges or automation windows.
  • Log every PUT operation containing HTML payloads (Content-Type: text/html or HTML magic bytes) targeting RustFS buckets.
  • Monitor RustFS Console access logs for elevated preview-modal request volume from non-administrator accounts.

How to Mitigate CVE-2026-62378

Immediate Actions Required

  • Upgrade RustFS Console to version 0.1.10 or later, which enforces content-type-only PDF previews.
  • Rotate all administrator AccessKeyId, SecretAccessKey, and SessionToken values that may have been exposed.
  • Audit existing buckets for objects with .pdf extensions containing HTML content and remove or quarantine them.

Patch Information

The fix is available in RustFS Console v0.1.10. See the GitHub Release v0.1.10 and the GHSA-7gcx-wg4x-q9x6 advisory for release notes and impact details. The corrective code change is documented in the patch commit 49630dc.

Workarounds

  • Restrict upload permissions to trusted service accounts until the console is upgraded.
  • Deploy a reverse proxy Content Security Policy that blocks inline script execution in the console origin.
  • Disable the object preview feature at the reverse proxy layer for .pdf requests where the upstream content type is not application/pdf.
bash
# Upgrade RustFS Console to the patched release
docker pull rustfs/console:0.1.10
docker stop rustfs-console && docker rm rustfs-console
docker run -d --name rustfs-console \
  -p 9000:9000 \
  rustfs/console:0.1.10

# Verify installed version
curl -s http://localhost:9000/version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.