Trust Issues: The RustFS IP Spoofing Bypass (CVE-2026-21862)
Vulnerability ID: CVE-2026-21862
CVSS Score: 7.7
Published: 2026-02-03
RustFS, a distributed object storage system designed for safety and performance, fell victim to one of the oldest tricks in the book: trusting client input. Prior to version alpha.78, the system determined a user's source IP address by blindly believing the 'X-Forwarded-For' header. This allowed attackers to bypass IP-based Access Control Lists (ACLs) by simply asking nicely—or rather, by spoofing a trusted IP address in their HTTP headers.
TL;DR
RustFS allowed attackers to bypass IP allowlists by spoofing the 'X-Forwarded-For' header. Fixed in alpha.78 by validating against the actual TCP socket address.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-290
- Attack Vector: Network (Layer 7)
- CVSS v4.0: 7.7 (High)
- Impact: Authorization Bypass
- Exploit Status: Proof of Concept (PoC) Available
- Components: get_condition_values (auth.rs)
Affected Systems
- RustFS < alpha.78
-
RustFS: < alpha.78 (Fixed in:
alpha.78)
Code Analysis
Commit: b4ba62f
fix: use remote addr from socket instead of header
- let remote_addr = header.get("x-forwarded-for")...
+ let remote_addr = socket.peer_addr()...
Exploit Details
- Manual: curl -H 'X-Forwarded-For: '
Mitigation Strategies
- Update RustFS to version >= alpha.78
- Configure edge firewalls/WAFs to strip X-Forwarded-For headers from untrusted sources
- Implement strict mutual TLS (mTLS) instead of relying solely on IP allowlists
Remediation Steps:
- Identify all instances of RustFS running versions < alpha.78.
- Pull the latest docker image or compile from source (tag: alpha.78).
- Restart the RustFS service.
- Verify the fix by attempting to spoof a known allowed IP using curl:
curl -H 'X-Forwarded-For: <allowed_ip>' <target>.
References
Read the full report for CVE-2026-21862 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)