crates.io package
rustfs
pkg:cargo/rustfs
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40937 | Hig | 8.3 | <= 0.0.2 | — | Apr 22, 2026 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without | |
| CVE-2026-39360 | Med | 4.3 | <= 0.0.2 | — | Apr 7, 2026 | RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by cop | |
| CVE-2026-27822 | — | < 1.0.0-alpha.83 | 1.0.0-alpha.83 | Feb 25, 2026 | RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF | ||
| CVE-2026-27607 | — | >= 1.0.0-alpha.56, < 1.0.0-alpha.83 | 1.0.0-alpha.83 | Feb 25, 2026 | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type cons | ||
| CVE-2026-24762 | — | >= 1.0.0-alpha.13, < 1.0.0-alpha.82 | 1.0.0-alpha.82 | Feb 3, 2026 | RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log out | ||
| CVE-2026-21862 | — | < 1.0.0-alpha.78 | 1.0.0-alpha.78 | Feb 3, 2026 | RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp | ||
| CVE-2026-22782 | — | >= 1.0.0-alpha.1, < 1.0.0-alpha.80 | 1.0.0-alpha.80 | Jan 16, 2026 | RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ec | ||
| CVE-2026-22043 | — | >= 1.0.0-alpha.13, < 1.0.0-alpha.79 | 1.0.0-alpha.79 | Jan 8, 2026 | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the par | ||
| CVE-2026-22042 | — | < 1.0.0-alpha.79 | 1.0.0-alpha.79 | Jan 8, 2026 | RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. S | ||
| CVE-2025-69255 | — | >= 1.0.0-alpha.13, < 1.0.0-alpha.78 | 1.0.0-alpha.78 | Jan 7, 2026 | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of ser | ||
| CVE-2025-68705 | — | >= 1.0.0-alpha.13, < 1.0.0-alpha.79 | 1.0.0-alpha.79 | Jan 7, 2026 | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79. | ||
| CVE-2025-68926 | — | >= 1.0.0-alpha.13, < 1.0.0-alpha.78 | 1.0.0-alpha.78 | Dec 30, 2025 | RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, |
- affected <= 0.0.2
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without
- affected <= 0.0.2
RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by cop
- CVE-2026-27822Feb 25, 2026affected < 1.0.0-alpha.83fixed 1.0.0-alpha.83
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF
- CVE-2026-27607Feb 25, 2026affected >= 1.0.0-alpha.56, < 1.0.0-alpha.83fixed 1.0.0-alpha.83
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type cons
- CVE-2026-24762Feb 3, 2026affected >= 1.0.0-alpha.13, < 1.0.0-alpha.82fixed 1.0.0-alpha.82
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log out
- CVE-2026-21862Feb 3, 2026affected < 1.0.0-alpha.78fixed 1.0.0-alpha.78
RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp
- CVE-2026-22782Jan 16, 2026affected >= 1.0.0-alpha.1, < 1.0.0-alpha.80fixed 1.0.0-alpha.80
RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ec
- CVE-2026-22043Jan 8, 2026affected >= 1.0.0-alpha.13, < 1.0.0-alpha.79fixed 1.0.0-alpha.79
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the par
- CVE-2026-22042Jan 8, 2026affected < 1.0.0-alpha.79fixed 1.0.0-alpha.79
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. S
- CVE-2025-69255Jan 7, 2026affected >= 1.0.0-alpha.13, < 1.0.0-alpha.78fixed 1.0.0-alpha.78
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of ser
- CVE-2025-68705Jan 7, 2026affected >= 1.0.0-alpha.13, < 1.0.0-alpha.79fixed 1.0.0-alpha.79
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79.
- CVE-2025-68926Dec 30, 2025affected >= 1.0.0-alpha.13, < 1.0.0-alpha.78fixed 1.0.0-alpha.78
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides,