PatchSiren cyber security CVE debrief

CVE-2026-46685 rustfs CVE debrief

CVE-2026-46685 documents a Cross-Origin Resource Sharing (CORS) misconfiguration in RustFS, a distributed object storage system built in Rust. The vulnerability exists in versions prior to 1.0.0-beta.2 when the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset. In this default state, the ConditionalCorsLayer middleware reflects any request Origin header value back as Access-Control-Allow-Origin and additionally sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight and error responses. This creates a permissive cross-domain policy that allows attacker-controlled web pages to make credentialed cross-origin requests to a reachable RustFS deployment and read responses when the victim browser possesses ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. The CVSS 4.0 vector indicates network attack vector with low attack complexity, partial attack timing, no privileges required, and user interaction required, with high confidentiality impact to the vulnerable component and low integrity impact. The vulnerability was published on 2026-05-28 and modified the same day. The fix is available in version 1.0.0-beta.2.

Vendor: rustfs
Product: Unknown
CVSS: MEDIUM 6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-29
Advisory published: 2026-05-28
Advisory updated: 2026-05-29

Who should care

Organizations operating RustFS object storage deployments, particularly those exposing S3-compatible endpoints to browser-accessible networks or relying on ambient authentication mechanisms. Security teams responsible for API security and CORS policy enforcement. Developers building applications that interact with RustFS via browser-based clients.

Technical summary

The RustFS S3 listener's ConditionalCorsLayer implements a dangerous default when RUSTFS_CORS_ALLOWED_ORIGINS is not configured. The middleware performs origin reflection—returning the request's Origin header value in Access-Control-Allow-Origin—while simultaneously setting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *. This combination violates CORS security principles by allowing any origin to make credentialed requests. The vulnerability affects all response types including preflight (OPTIONS) and error responses, maximizing the attack surface. An attacker hosting a malicious webpage can exploit this by inducing a victim with stored credentials for the RustFS origin to visit the page, then issuing cross-origin requests that include those credentials (cookies, HTTP Basic Auth, or TLS client certificates) and reading the responses. The CVSS 4.0 score of 6.0 (MEDIUM) reflects the required user interaction and the high confidentiality impact balanced against the need for ambient credentials. The vendor addressed this in 1.0.0-beta.2 by implementing proper CORS origin validation.

Defensive priority

medium

Recommended defensive actions

Upgrade RustFS to version 1.0.0-beta.2 or later to remediate the CORS misconfiguration vulnerability
Configure RUSTFS_CORS_ALLOWED_ORIGINS explicitly to trusted origins rather than leaving it unset
Review and restrict ambient authentication mechanisms (HTTP Basic Auth, reverse-proxy SSO cookies, TLS client certificates) that could be exploited via credentialed cross-origin requests
Implement network segmentation to limit exposure of RustFS S3 listener interfaces to untrusted networks
Monitor access logs for anomalous cross-origin request patterns that may indicate exploitation attempts
Validate CORS policy configuration in staging environments before production deployment

Evidence notes

CORS misconfiguration when RUSTFS_CORS_ALLOWED_ORIGINS is unset; reflects arbitrary Origin values with credentials allowed. Affects preflight and error responses. Fixed in 1.0.0-beta.2.

Official resources

2026-05-28T19:16:39.583Z