CVE-2026-45042

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.2

Description Improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The system validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but fails to enforce policy constraints regarding whether the destination bucket permits the specified copy source, enabling unauthorized cross-bucket data movement.

Recommendations Update to version 1.0.0-beta.2.