CVE-2026-21862 — HIGH (7.5)

Vulnerability Description

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Rustfs	Rustfs	1.0.0

Related Weaknesses (CWE)

CWE-290

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrqVendor Advisory

FAQ

What is CVE-2026-21862?

CVE-2026-21862 is a vulnerability with a CVSS score of 7.5 (HIGH). RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip w...

How severe is CVE-2026-21862?

CVE-2026-21862 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-21862?

Check the references section above for vendor advisories and patch information. Affected products include: Rustfs Rustfs.