CVE-2026-46685
Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RustFS S3 listener's ConditionalCorsLayer reflects any Origin with credentials when CORS allowed origins is unset, enabling cross-origin data theft.
Vulnerability
In RustFS prior to 1.0.0-beta.2, the S3 listener's ConditionalCorsLayer in rustfs/src/server/layer.rs has a default behavior that when RUSTFS_CORS_ALLOWED_ORIGINS is not configured, it reflects any request Origin header value back as Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on all responses, including preflight and error responses [1]. This affects versions <= 1.0.0-beta.1.
Exploitation
An attacker must control a web page visited by a victim whose browser has ambient credentials for the RustFS origin (e.g., saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates). The attacker's page issues credentialed cross-origin requests to a network-reachable RustFS deployment, and due to the permissive CORS policy, the browser allows the page to read the response contents [1].
Impact
A successful attacker can read the response data of credentialed cross-origin requests to a RustFS deployment, leading to disclosure of information stored in the object storage system. The impact is limited to information disclosure at the privilege level of the victim's credentials [1].
Mitigation
Upgrade to RustFS 1.0.0-beta.2 or later, which fixes the issue. No workaround is available other than ensuring RUSTFS_CORS_ALLOWED_ORIGINS is configured explicitly [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing origin validation in ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin with credentials enabled when RUSTFS_CORS_ALLOWED_ORIGINS is unset."
Attack vector
When RUSTFS_CORS_ALLOWED_ORIGINS is unset, the ConditionalCorsLayer in rustfs/src/server/layer.rs reflects any Origin header value back as Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on all responses, including preflight and error responses [ref_id=1]. A browser visiting an attacker-controlled page can issue credentialed cross-origin fetch requests (with credentials: "include") to a reachable RustFS deployment. If the victim browser has ambient credentials for the RustFS origin — such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates — the browser attaches them and the attacker can read the response due to the permissive CORS policy [CWE-942].
Affected code
The vulnerable component is the ConditionalCorsLayer in rustfs/src/server/layer.rs [ref_id=1]. The vulnerable behavior occurs in the code path when RUSTFS_CORS_ALLOWED_ORIGINS is not configured, shown by the pattern: (Some(orig), None) => Some(orig) [ref_id=1].
What the fix does
The advisory recommends changing the default behavior when RUSTFS_CORS_ALLOWED_ORIGINS is unset from "reflect any origin" to "do not emit CORS headers" [ref_id=1]. Additionally, Access-Control-Allow-Credentials: true should only be emitted when the request origin matched an explicit allow-list entry, not for wildcard or implicit/default origin handling. Operators who need cross-origin access should explicitly configure trusted origins. The fix is implemented in version 1.0.0-beta.2 [ref_id=1].
Preconditions
- configRUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset (default configuration)
- networkVictim browser can reach the RustFS S3 listener over the network
- authVictim browser has ambient credentials for the RustFS origin (saved HTTP Basic Auth, SSO cookies, TLS client certificates, or other browser-managed auth)
- inputAttacker-controlled page makes credentialed cross-origin fetch requests to the RustFS endpoint
Reproduction
Start a RustFS 1.0.0-beta.1 server with default CORS configuration (RUSTFS_CORS_ALLOWED_ORIGINS unset). Send a GET request with a crafted Origin header: curl -s -i -X GET http://127.0.0.1:9000/ -H 'Origin: https://attacker.example'. The response includes access-control-allow-origin: https://attacker.example and access-control-allow-credentials: true [ref_id=1]. A preflight request also reflects the attacker origin: curl -s -i -X OPTIONS http://127.0.0.1:9000/somebucket -H 'Origin: https://attacker.example' -H 'Access-Control-Request-Method: PUT' [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.