These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-46685 documents a Cross-Origin Resource Sharing (CORS) misconfiguration in RustFS, a distributed object storage system built in Rust. The vulnerability exists in versions prior to 1.0.0-beta.2 when the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset. In this default state, the ConditionalCorsLayer middleware reflects any request Origin header value back as Access-Control-Allow-Origin an [truncated]
CVE-2026-45044 is a HIGH severity vulnerability (CVSS 8.8) in RustFS, a distributed object storage system built in Rust. The issue affects versions prior to 1.0.0-beta.2 and was published on 2026-05-28. The vulnerability stems from an authentication bypass in the admin router, where the `/profile/cpu` and `/profile/memory` endpoints are explicitly whitelisted from authentication checks. This allows unauth [truncated]
A high-severity authorization bypass vulnerability in RustFS, a distributed object storage system built in Rust, allows unauthorized cross-bucket data movement through the UploadPartCopy operation. Prior to version 1.0.0-beta.2, the implementation validates GetObject permission on the source bucket and PutObject permission on the destination bucket independently, but fails to enforce policy constraints on [truncated]
A critical cryptographic vulnerability in RustFS distributed object storage allows complete license enforcement bypass. The application embeds a hardcoded 2048-bit RSA private key as a string constant (TEST_PRIVATE_KEY) in crates/appauth/src/token.rs, which is used in production via parse_license() to verify license tokens. Because this key is present in all published source releases and binaries, any par [truncated]
CVE-2026-45040 documents a sensitive information disclosure vulnerability in RustFS, a distributed object storage system implemented in Rust. When the server operates with RUST_LOG=debug, authentication credentials including SessionToken (JWT), SecretAccessKey, and complete JWT claims are emitted in plaintext to server logs. The vulnerability stems from improper logging practices that fail to sanitize sen [truncated]