Cyber Resilience

CVE-2026-21862

High

Published: 03 February 2026

Published
03 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 17.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21862 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Rustfs Rustfs. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21862 affects RustFS, a distributed object storage system built in Rust. Prior to version alpha.78, the vulnerability enables bypass of IP-based access control in the get_condition_values function, which trusts client-supplied X-Forwarded-For or X-Real-Ip headers without verifying a trusted proxy. This allows attackers to spoof the aws:SourceIp condition and satisfy IP-allowlist policies. The issue is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-290.

Any network-reachable client can exploit this vulnerability without authentication or user interaction. By supplying forged X-Forwarded-For or X-Real-Ip headers, attackers can impersonate an allowed IP address, bypassing IP restrictions on object storage access. This results in high integrity impact, potentially enabling unauthorized data modification or policy evasion, though it does not compromise confidentiality or availability.

The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq details the patch in RustFS version alpha.78, which addresses the trust issue in header processing. Security practitioners should upgrade to alpha.78 or later to mitigate the vulnerability.

EU & UK References

Vulnerability details

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.…

more

This issue has been patched in version alpha.78.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability directly enables remote exploitation of a public-facing object storage service to bypass IP-based access controls via header spoofing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22782Same product: Rustfs Rustfs
CVE-2026-40937Same product: Rustfs Rustfs
CVE-2025-68705Same product: Rustfs Rustfs
CVE-2026-24762Same product: Rustfs Rustfs
CVE-2026-22042Same product: Rustfs Rustfs
CVE-2026-27822Same product: Rustfs Rustfs
CVE-2025-68926Same product: Rustfs Rustfs
CVE-2026-27607Same product: Rustfs Rustfs
CVE-2026-22043Same product: Rustfs Rustfs
CVE-2024-55925Shared CWE-290

Affected Assets

rustfs
rustfs
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires verification of access authorization information like source IP prior to granting access, directly preventing reliance on unverified client-supplied X-Forwarded-For or X-Real-Ip headers for IP-allowlist decisions.

prevent

Mandates validation of information inputs such as proxy headers to ensure they cannot be spoofed to bypass IP-based access controls in get_condition_values.

prevent

Enforces monitoring and control of communications at external boundaries using authentic network source IPs, mitigating application-level spoofing of proxy headers for access policy evasion.

References