Unauthorized File Upload Vulnerability in RustFS Distributed Object Storage
CVE-2026-27607

8.1HIGH

Key Information:

Vendor: Rustfs
Status: Rustfs
Vendor: CVE Published:; 25 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-27607?

RustFS, a distributed object storage system, contains a vulnerability in its presigned POST uploads across specific alpha versions. This oversight allows attackers to circumvent restrictions on content-length and content-type, potentially enabling unauthorized file uploads that exceed established size limits and targeting arbitrary object keys. Such actions could lead to storage exhaustion, unauthorized access to sensitive data, and various security issues, thereby compromising the integrity of the system. The issue has been resolved in version 1.0.0-alpha.83.

Affected Version(s)

rustfs >= 1.0.0-alpha.56, < 1.0.0-alpha.83

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-27607
Created by nikeee

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
🟡
Public PoC available
Feb 24, 2026
👾
Exploit known to exist
Feb 24, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27607 Data

JSON

Rustfs

Badges

What is CVE-2026-27607?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline