CVE-2026-45042
HIGHRustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source
Title source: cnaDescription
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/rustfs/rustfs/security/advisories/GHSA-wfxj-ph3v-7mjf
Scores
CVSS v4
7.1
EPSS
0.0021
EPSS Percentile
10.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
rustfs/rustfs
< 1.0.0-beta.2
Published
May 28, 2026
Tracked Since
May 29, 2026