CVE-2026-39360

Name of the Vulnerable Software and Affected Versions RustFS versions prior to alpha.90

Description RustFS, a distributed object storage system built in Rust, had a missing authorization check in the multipart copy path (UploadPartCopy) before version alpha.90. This allowed a low-privileged user, lacking read access to objects in a victim bucket, to exfiltrate those objects by copying them into a multipart upload they control and then completing the upload. This compromised tenant isolation in multi-user or multi-tenant deployments.

Recommendations Update to version alpha.90 or later.