CVE-2026-27607
Published: 25 February 2026
Summary
CVE-2026-27607 is a high-severity Improper Input Validation (CWE-20) vulnerability in Rustfs Rustfs. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of inputs like content-length-range, starts-with, and Content-Type in presigned POST uploads to prevent bypass of policy constraints.
Enforces approved authorizations and policy conditions in presigned URLs to block unauthorized uploads to arbitrary object keys and content-type spoofing.
Requires timely identification and patching of flaws like the policy validation failure fixed in RustFS version 1.0.0-alpha.83.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of remote object storage service (T1210) via presigned POST bypass, facilitating oversized uploads for endpoint DoS through application exploitation (T1499.004) and unauthorized writes to arbitrary keys for stored data manipulation (T1565.001).
NVD Description
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads…
more
exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
Deeper analysisAI
CVE-2026-27607 affects RustFS, a distributed object storage system built in Rust, specifically in versions 1.0.0-alpha.56 through 1.0.0-alpha.82. The vulnerability stems from a failure to validate policy conditions in presigned POST uploads via the PostObject operation, enabling attackers to bypass constraints on content-length-range, starts-with, and Content-Type. This improper input validation (CWE-20) and incorrect authorization (CWE-863) allows unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and was published on 2026-02-25.
Attackers with low privileges, such as authenticated users able to obtain presigned POST URLs, can exploit this over the network with low complexity and no user interaction. Successful exploitation enables storage exhaustion through oversized uploads, unauthorized data access by writing to arbitrary object keys, security bypasses via content-type spoofing, and potential integrity violations, aligning with the high impact on integrity (I:H) and availability (A:H).
The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p details the issue and confirms that upgrading to version 1.0.0-alpha.83 resolves the vulnerability by properly enforcing policy conditions in presigned POST uploads. Security practitioners should prioritize patching affected RustFS deployments to mitigate these risks.
Details
- CWE(s)