RustFS: The 'Anything Goes' S3 POST Policy
Vulnerability ID: CVE-2026-27607
CVSS Score: 8.1
Published: 2026-02-25
RustFS, a distributed object storage system, implemented the S3 Presigned POST protocol but forgot the most important part: enforcing the rules. While it verified the cryptographic signature of upload requests, it completely ignored the policy conditions. This allowed attackers with a valid upload URL to bypass file size limits, overwrite arbitrary files, and spoof content types, effectively turning a 'profile picture upload' feature into a 'destroy the storage cluster' feature.
TL;DR
RustFS failed to validate policy conditions (content-length-range, starts-with) in S3 Presigned POST uploads. Attackers could use valid upload tokens to overwrite arbitrary files, exhaust storage with massive uploads, or host malicious content, regardless of the restrictions intended by the application.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-27607
- CVSS v3.1: 8.1 (High)
- CWE: CWE-20, CWE-863
- Attack Vector: Network
- Impact: Integrity, Availability
- EPSS Score: 0.05%
Affected Systems
- RustFS Distributed Object Storage
-
RustFS: >= 1.0.0-alpha.56, <= 1.0.0-alpha.82 (Fixed in:
1.0.0-alpha.83)
Code Analysis
Commit: 9824171
Fix validation of S3 POST policy conditions
N/A
Exploit Details
- GitHub: PoC demonstrating bypass of content-length-range and starts-with
Mitigation Strategies
- Software Update
- API Hardening
- Architecture Change
Remediation Steps:
- Upgrade RustFS to version 1.0.0-alpha.83 or later immediately.
- Audit existing S3 buckets for unexpectedly large files or files with incorrect MIME types created during the vulnerability window.
- If immediate patching is impossible, disable direct S3 POST uploads and proxy file uploads through a backend service that performs validation.
References
Read the full report for CVE-2026-27607 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)