CVE-2026-27822

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.83

Description RustFS is a distributed object storage system built in Rust. A Stored Cross-Site Scripting (XSS) vulnerability exists in the RustFS Console, allowing an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, potentially leading to full account takeover and system compromise. The vulnerability is due to improper validation of the response content type during the file preview process and a lack of origin separation between the S3 object delivery and the management console. An attacker can upload a file with a malicious payload disguised as a PDF, which, when previewed, executes JavaScript code with unrestricted access to the parent window's localStorage. This allows the attacker to steal S3 credentials (AccessKeyId, SecretAccessKey, and SessionToken) and perform administrative actions. Approximately 25,000 services are estimated to be found yearly that are potentially affected.

Recommendations Update to version 1.0.0-alpha.83 or later.