PT-2026-6099 · Rustfs · Rustfs

Enitmar

Published

2026-02-03

Updated

2026-02-23

CVE-2026-21862

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions RustFS versions prior to alpha.78

Description RustFS, a distributed object storage system, had a flaw in its access control mechanism. Specifically, the get condition values function improperly trusted the X-Forwarded-For and X-Real-Ip headers provided by clients without verifying a trusted proxy. This allowed any reachable client to spoof the aws:SourceIp and bypass IP-allowlist policies.

Recommendations Update to version alpha.78 or later.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2026-21862

GHSA-FC6G-2GCP-2QRQ

Affected Products

Rustfs

PT-2026-6099 · Rustfs · Rustfs

CVE-2026-21862

Weakness Enumeration

Related Identifiers

Affected Products

References · 9