CVE-2026-46685

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.2

Description When the RUSTFS CORS ALLOWED ORIGINS variable is unset, the S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin. It also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight and error responses. This creates a permissive cross-domain policy with untrusted origins, allowing a browser visiting an attacker-controlled page to issue credentialed cross-origin requests to a RustFS deployment. This enables the reading of responses when the victim browser possesses ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates.

Recommendations Update to version 1.0.0-beta.2.