CVE-2026-45042
Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authorization in RustFS UploadPartCopy allows cross-bucket copying without enforcing destination bucket copy-source policies, fixed in 1.0.0-beta.2.
Vulnerability
RustFS prior to version 1.0.0-beta.2 contains an improper authorization vulnerability in the UploadPartCopy operation. The implementation validates GetObject permission on the source bucket and PutObject permission on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This allows copying objects across buckets without respecting destination bucket restrictions on allowed copy sources [1].
Exploitation
An attacker requires GetObject permission on a source bucket and PutObject permission on a destination bucket. The attacker can initiate a multipart upload to the destination bucket and then call UploadPartCopy with the x-amz-copy-source header pointing to an object in the source bucket. The destination bucket's policy regarding allowed copy sources is not checked, enabling unauthorized cross-bucket data movement [1].
Impact
Successful exploitation allows an attacker to copy objects from any source bucket they have read access to into any destination bucket they have write access to, bypassing the destination bucket's copy-source restrictions. This can lead to unauthorized data exfiltration and violation of bucket isolation policies [1].
Mitigation
The vulnerability is fixed in RustFS version 1.0.0-beta.2 [1]. Users should upgrade to this version or later. No workarounds are documented in the available references.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation that the destination bucket's policy permits the specified copy source in the UploadPartCopy operation."
Attack vector
An attacker who has GetObject permission on a source bucket and PutObject permission on a destination bucket can copy objects from the source bucket into the destination bucket even if the destination bucket's policy explicitly forbids that copy source. The attacker initiates a multipart upload to the destination bucket, then issues an UploadPartCopy request specifying a source object in a different bucket. The implementation checks source GetObject and destination PutObject independently but never validates whether the destination bucket permits the specified copy source, enabling unauthorized cross-bucket data movement [ref_id=1].
Affected code
The vulnerability is in `rustfs/src/storage/access.rs` within the `upload_part_copy` function, which checks GetObject permission on the source bucket and PutObject on the destination bucket independently without enforcing destination bucket policy constraints on the copy source. Additionally, `rustfs/src/app/multipart_usecase.rs` accesses object data at the storage layer without further authorization checks [ref_id=1].
What the fix does
The advisory recommends adding source-bucket authorization enforcement at the storage layer by calling `iam_store.is_allowed()` with the source bucket, source key, and GetObject action before allowing the copy to proceed. This ensures that the destination bucket's policy constraints on allowed copy sources are respected, closing the authorization gap where only independent GetObject and PutObject checks were performed without cross-bucket policy validation [ref_id=1].
Preconditions
- authAttacker must have GetObject permission on the source bucket
- authAttacker must have PutObject permission on the destination bucket
- networkAttacker must have network access to the RustFS endpoint
Reproduction
1. Initiate a multipart upload to the destination bucket: `curl -X POST "$ENDPOINT/dst-bucket/exfil-object?uploads" --access_key $KEY --secret_key $SECRET` and extract the UploadId. 2. Issue an UploadPartCopy request: `curl -X PUT "$ENDPOINT/dst-bucket/exfil-object?partNumber=1&uploadId=$UPLOAD_ID" -H "x-amz-copy-source: /src-bucket/private-object.txt" --access_key $KEY --secret_key $SECRET` and extract the ETag. 3. Complete the multipart upload: `curl -X POST "$ENDPOINT/dst-bucket/exfil-object?uploadId=$UPLOAD_ID" -d "<CompleteMultipartUpload><Part><PartNumber>1</PartNumber><ETag>$ETAG</ETag></Part></CompleteMultipartUpload>" --access_key $KEY --secret_key $SECRET`. 4. Retrieve the copied object: `curl "$ENDPOINT/dst-bucket/exfil-object" --access_key $KEY --secret_key $SECRET` [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.