CVE-2026-21862
Published: 03 February 2026
Summary
CVE-2026-21862 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Rustfs Rustfs. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-21862 affects RustFS, a distributed object storage system built in Rust. Prior to version alpha.78, the vulnerability enables bypass of IP-based access control in the get_condition_values function, which trusts client-supplied X-Forwarded-For or X-Real-Ip headers without verifying a trusted proxy. This allows attackers to spoof the aws:SourceIp condition and satisfy IP-allowlist policies. The issue is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-290.
Any network-reachable client can exploit this vulnerability without authentication or user interaction. By supplying forged X-Forwarded-For or X-Real-Ip headers, attackers can impersonate an allowed IP address, bypassing IP restrictions on object storage access. This results in high integrity impact, potentially enabling unauthorized data modification or policy evasion, though it does not compromise confidentiality or availability.
The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq details the patch in RustFS version alpha.78, which addresses the trust issue in header processing. Security practitioners should upgrade to alpha.78 or later to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5219
Vulnerability details
RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.…
more
This issue has been patched in version alpha.78.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote exploitation of a public-facing object storage service to bypass IP-based access controls via header spoofing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires verification of access authorization information like source IP prior to granting access, directly preventing reliance on unverified client-supplied X-Forwarded-For or X-Real-Ip headers for IP-allowlist decisions.
Mandates validation of information inputs such as proxy headers to ensure they cannot be spoofed to bypass IP-based access controls in get_condition_values.
Enforces monitoring and control of communications at external boundaries using authentic network source IPs, mitigating application-level spoofing of proxy headers for access policy evasion.