Auth bypass in Rustfs
CVE-2026-46685
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Ori…
Vulnerability class: Broken Authentication
EPSS: 0.000 (3.4th percentile) — read the EPSS interpretation.
Affected products
- Rustfs — versions < 1.0.0-beta.2
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)