IP-based Access Control Bypass in RustFS Distributed Object Storage System
CVE-2026-21862

7.7HIGH

Key Information:

Vendor: Rustfs
Status: Rustfs
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-21862?

RustFS, a distributed object storage system written in Rust, has a security vulnerability that allows attackers to bypass IP-based access control measures. This issue arises because the 'get_condition_values' function accepts client-supplied X-Forwarded-For and X-Real-Ip headers without proper verification of trusted proxies. Consequently, any accessible client has the potential to spoof the 'aws:SourceIp' header, thus evading IP allowlist policies. Users are advised to upgrade to version alpha.78 or later, where this issue has been effectively mitigated.

Affected Version(s)

rustfs < alpha.78

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-21862 Data

JSON

Rustfs

What is CVE-2026-21862?

Affected Version(s)

References

CVSS V4

Timeline