PatchSiren cyber security CVE debrief
CVE-2026-45042 rustfs CVE debrief
A high-severity authorization bypass vulnerability in RustFS, a distributed object storage system built in Rust, allows unauthorized cross-bucket data movement through the UploadPartCopy operation. Prior to version 1.0.0-beta.2, the implementation validates GetObject permission on the source bucket and PutObject permission on the destination bucket independently, but fails to enforce policy constraints on whether the destination bucket permits the specified copy source. This improper authorization flaw enables attackers with valid credentials to copy objects across buckets in violation of intended access controls. The vulnerability is classified as CWE-863 (Incorrect Authorization) and carries a CVSS 4.0 score of 7.1 (HIGH). The issue was disclosed on May 28, 2026, with a fix available in RustFS version 1.0.0-beta.2.
- Vendor
- rustfs
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations operating RustFS-based object storage infrastructure, particularly multi-tenant deployments with strict data isolation requirements between buckets. Security teams responsible for S3-compatible storage security and compliance officers overseeing data residency and access control policies.
Technical summary
The UploadPartCopy operation in RustFS versions prior to 1.0.0-beta.2 contains an authorization logic flaw where permission validation is performed in isolation rather than as a unified policy check. The operation separately verifies GetObject access on the source bucket and PutObject access on the destination bucket, but does not validate whether the destination bucket's policies permit copying from the specified source. This architectural gap allows authenticated users to circumvent intended data segregation controls by copying objects to buckets where such operations should be prohibited by policy. The vulnerability is exploitable over the network with low attack complexity and requires low privileges, though it does not impact integrity or availability of the storage system.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade RustFS to version 1.0.0-beta.2 or later to remediate the authorization bypass vulnerability.
- Review bucket policies and IAM configurations to ensure copy source restrictions are explicitly enforced at the policy layer as a defense-in-depth measure.
- Audit access logs for UploadPartCopy operations to identify potential unauthorized cross-bucket data movement that may have occurred prior to patching.
- Implement additional authorization middleware or proxy controls that validate copy source permissions against destination bucket policies if immediate upgrade is not feasible.
- Monitor for anomalous cross-bucket copy patterns that may indicate exploitation attempts.
Evidence notes
Vulnerability description and fix version confirmed through GitHub Security Advisory GHSA-wfxj-ph3v-7mjf. CVSS 4.0 vector and score sourced from NVD record. CWE-863 classification provided by [email protected].
Official resources
-
CVE-2026-45042 CVE record
CVE.org
-
CVE-2026-45042 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28