Auth bypass in Rustfs

CVE-2026-39360

RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket c…

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

Rustfs — versions < alpha.90

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98 (x_refsource_CONFIRM)