CVE-2026-39360 — MEDIUM (4.3)

Vulnerability Description

RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Rustfs	Rustfs	1.0.0

Related Weaknesses (CWE)

CWE-862

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98ExploitVendor Advisory

FAQ

What is CVE-2026-39360?

CVE-2026-39360 is a vulnerability with a CVSS score of 4.3 (MEDIUM). RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who can...

How severe is CVE-2026-39360?

CVE-2026-39360 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-39360?

Check the references section above for vendor advisories and patch information. Affected products include: Rustfs Rustfs.