Vulnerability-Lookup

CVE-2026-21862 (GCVE-0-2026-21862)

Vulnerability from cvelistv5 – Published: 2026-02-03 16:06 – Updated: 2026-02-03 17:10

Title

RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Summary

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78.

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	rustfs	rustfs	Affected: < alpha.78

GHSA-FC6G-2GCP-2QRQ

Vulnerability from github – Published: 2026-02-03 17:31 – Updated: 2026-02-03 18:55

Summary

RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Details

Summary

IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.

Details

Vulnerable code: rustfs/src/auth.rs:289-304 sets remote_addr from X-Forwarded-For/X-Real-Ip, then inserts SourceIp via get_source_ip_raw, with no trust boundary or proxy validation:
- let remote_addr = header.get("x-forwarded-for").and_then(...).or_else(|| header.get("x-real-ip")...).unwrap_or("127.0.0.1");
- args.insert("SourceIp", vec![get_source_ip_raw(header, remote_addr)]);
This value feeds IAM/bucket policy evaluation in rustfs/src/storage/access.rs (authorization path), so any request that forges the header can meet aws:SourceIp conditions.
No authentication is required beyond the request itself; the header is taken at face value even on direct connections.

PoC

rustfs-auth-trusted-ip-header-spoofing-poc.tar.gz

Steps (already included in rustfs-auth-trusted-ip-header-spoofing-poc/):

Start RustFS with two local volumes, e.g.:

     mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2
     RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \
       cargo run --bin rustfs -- --address 0.0.0.0:9000 \
       /tmp/rustfs-data1 /tmp/rustfs-data2

From rustfs-auth-trusted-ip-header-spoofing-poc/, run:

     ENDPOINT=http://127.0.0.1:9000 make run

 The script:
  - Creates bucket `rustfs-trusted-ip-poc`.
  - Applies a bucket policy allowing `s3:ListBucket` only from `10.0.0.5/32` (`Principal: {"AWS":["*"]},` Resource array).
  - Sends three unauthenticated `ListBucket` calls:
      - Baseline (no spoof) → HTTP 403.
      - Spoofed `X-Forwarded-For: 10.0.0.5` → HTTP 200 (policy bypass).
      - Spoofed `X-Forwarded-For: 1.2.3.4` → HTTP 403.
  - Responses saved to `poc-baseline.xml`, `poc-spoofed.xml`, `poc-deny.xml`.

Impact

Vulnerability type: Authorization bypass of IP-allowlist (aws:SourceIp) via header spoofing.
Who is impacted: Any deployment relying on aws:SourceIp in IAM/bucket policies for S3 operations. Attackers with network reach to RustFS can forge forwarded-IP headers to gain list/read/write where IP restrictions were meant to block them.

Credits

Identified by SecMate (https://secmate.dev) automated analysis and validated during manual triage.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rustfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-alpha.78"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T17:31:41Z",
    "nvd_published_at": "2026-02-03T16:16:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.\n\n### Details\n\n  - Vulnerable code: `rustfs/src/auth.rs:289-304` sets `remote_addr` from `X-Forwarded-For`/`X-Real-Ip`, then inserts `SourceIp` via\n    `get_source_ip_raw`, with no trust boundary or proxy validation:\n      - `let remote_addr = header.get(\"x-forwarded-for\").and_then(...).or_else(|| header.get(\"x-real-ip\")...).unwrap_or(\"127.0.0.1\");`\n      - `args.insert(\"SourceIp\", vec![get_source_ip_raw(header, remote_addr)]);`\n  - This value feeds IAM/bucket policy evaluation in `rustfs/src/storage/access.rs` (authorization path), so any request that forges the header can meet `aws:SourceIp` conditions.\n  - No authentication is required beyond the request itself; the header is taken at face value even on direct connections.\n\n\n### PoC\n\n[rustfs-auth-trusted-ip-header-spoofing-poc.tar.gz](https://github.com/user-attachments/files/24038162/rustfs-auth-trusted-ip-header-spoofing-poc.tar.gz)\n\n\nSteps (already included in `rustfs-auth-trusted-ip-header-spoofing-poc/`):\n\n  1. Start RustFS with two local volumes, e.g.:\n\n```\n     mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2\n     RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \\\n       cargo run --bin rustfs -- --address 0.0.0.0:9000 \\\n       /tmp/rustfs-data1 /tmp/rustfs-data2\n```\n\n  2. From `rustfs-auth-trusted-ip-header-spoofing-poc`/, run:\n\n```\n     ENDPOINT=http://127.0.0.1:9000 make run\n```\n\n     The script:\n      - Creates bucket `rustfs-trusted-ip-poc`.\n      - Applies a bucket policy allowing `s3:ListBucket` only from `10.0.0.5/32` (`Principal: {\"AWS\":[\"*\"]},` Resource array).\n      - Sends three unauthenticated `ListBucket` calls:\n          - Baseline (no spoof) \u2192 HTTP 403.\n          - Spoofed `X-Forwarded-For: 10.0.0.5` \u2192 HTTP 200 (policy bypass).\n          - Spoofed `X-Forwarded-For: 1.2.3.4` \u2192 HTTP 403.\n      - Responses saved to `poc-baseline.xml`, `poc-spoofed.xml`, `poc-deny.xml`.\n\n\n### Impact\n\n  - Vulnerability type: Authorization bypass of IP-allowlist (`aws:SourceIp`) via header spoofing.\n  - Who is impacted: Any deployment relying on `aws:SourceIp` in IAM/bucket policies for S3 operations. Attackers with network reach to RustFS can forge forwarded-IP headers to gain list/read/write where IP restrictions were meant to block them.\n\n### Credits\nIdentified by SecMate (https://secmate.dev) automated analysis and validated during manual triage.",
  "id": "GHSA-fc6g-2gcp-2qrq",
  "modified": "2026-02-03T18:55:45Z",
  "published": "2026-02-03T17:31:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21862"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/commit/b4ba62fa3300b5b258fdc0da141481e3be7ea960"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rustfs/rustfs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers"
}

FKIE_CVE-2026-21862

Vulnerability from fkie_nvd - Published: 2026-02-03 16:16 - Updated: 2026-02-23 20:26

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq	Vendor Advisory

Impacted products

Vendor	Product	Version
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*",
              "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*",
              "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*",
              "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*",
              "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*",
              "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*",
              "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*",
              "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*",
              "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*",
              "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*",
              "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*",
              "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha2:*:*:*:rust:*:*",
              "matchCriteriaId": "550786BD-A6A4-454B-BDAB-67AE64DABCA7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*",
              "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*",
              "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*",
              "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*",
              "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*",
              "matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*",
              "matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*",
              "matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha27:*:*:*:rust:*:*",
              "matchCriteriaId": "C2D66076-4005-4F58-A8E2-69062053D786",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha28:*:*:*:rust:*:*",
              "matchCriteriaId": "1D8CB0F5-299F-4BB0-B264-F5642DD991C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha29:*:*:*:rust:*:*",
              "matchCriteriaId": "96E20418-FE0C-4202-8771-FFF8EBB1B62D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha3:*:*:*:rust:*:*",
              "matchCriteriaId": "C16A625B-3FC4-48EB-9107-6E7585080D15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha30:*:*:*:rust:*:*",
              "matchCriteriaId": "810A17F9-AEEA-4396-B437-120789BBE882",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha31:*:*:*:rust:*:*",
              "matchCriteriaId": "7B1FECD4-E993-417D-AEA7-F8E97DC6A5FA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha32:*:*:*:rust:*:*",
              "matchCriteriaId": "3839F299-E0E7-4994-A8AC-B67A534C9847",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha33:*:*:*:rust:*:*",
              "matchCriteriaId": "46CAEA4E-5DFD-4668-ABF0-DC53EB04EE7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha34:*:*:*:rust:*:*",
              "matchCriteriaId": "591075AB-81EF-4D42-A2A0-FA28BC6B78CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha35:*:*:*:rust:*:*",
              "matchCriteriaId": "FD46ED07-6DCC-4BF8-A4E8-78B2FF6DCE4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha36:*:*:*:rust:*:*",
              "matchCriteriaId": "6DF15533-D6E1-49B0-B30A-6FEECC7AE06C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha37:*:*:*:rust:*:*",
              "matchCriteriaId": "EC68F03A-D299-4BFB-A99E-4B08E4E0848F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha38:*:*:*:rust:*:*",
              "matchCriteriaId": "0DD60024-CAB2-4DA6-A9CA-503D2631E98B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha39:*:*:*:rust:*:*",
              "matchCriteriaId": "32470ED0-7873-41A3-B2D5-7CD444ED0A45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha4:*:*:*:rust:*:*",
              "matchCriteriaId": "A88E9293-4B7C-4C52-9943-47197DB55D59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha40:*:*:*:rust:*:*",
              "matchCriteriaId": "E2EFC74D-40E7-426C-9F7B-3B654F2B940F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha41:*:*:*:rust:*:*",
              "matchCriteriaId": "EAAF504E-51A5-492B-887E-BB67788B899C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha42:*:*:*:rust:*:*",
              "matchCriteriaId": "35C83244-D2C7-4D70-9C0B-D0590B00C608",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha43:*:*:*:rust:*:*",
              "matchCriteriaId": "429E4ECD-997A-4D3B-9DE2-60835AE14473",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha44:*:*:*:rust:*:*",
              "matchCriteriaId": "5DDDBAA5-D207-498C-A6F0-79F07806C511",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha45:*:*:*:rust:*:*",
              "matchCriteriaId": "81758B85-6D2B-4914-96EC-E4CCDE2F9A52",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha46:*:*:*:rust:*:*",
              "matchCriteriaId": "D439B484-E32D-4A6A-84EE-9307A028F736",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha47:*:*:*:rust:*:*",
              "matchCriteriaId": "FDA137F7-DC8A-44F4-8061-F502AC8DD7BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha48:*:*:*:rust:*:*",
              "matchCriteriaId": "AE3EF7B3-E8C0-4844-9165-3A26EB426615",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha49:*:*:*:rust:*:*",
              "matchCriteriaId": "EB40D926-AE20-46A7-9B6E-ED1BADB9A08B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha5:*:*:*:rust:*:*",
              "matchCriteriaId": "7F5E8DE5-ABB0-4884-B473-07FA596A8707",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha50:*:*:*:rust:*:*",
              "matchCriteriaId": "3A43A950-59A6-4343-815A-953C11DC3F13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha51:*:*:*:rust:*:*",
              "matchCriteriaId": "87B36190-C30B-45BC-9738-BE0B3321025D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha52:*:*:*:rust:*:*",
              "matchCriteriaId": "86A2967C-E2C6-4C73-9BDE-CCECACDB2B02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha53:*:*:*:rust:*:*",
              "matchCriteriaId": "5E10A654-E265-4469-8099-ABBB1F5D8BCF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha54:*:*:*:rust:*:*",
              "matchCriteriaId": "762591A8-A0A2-45D2-B15F-1E85DFC5CA86",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha55:*:*:*:rust:*:*",
              "matchCriteriaId": "53DE196C-1914-40AE-854D-4988073D57C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*",
              "matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*",
              "matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*",
              "matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*",
              "matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha6:*:*:*:rust:*:*",
              "matchCriteriaId": "2B55C391-0232-4F06-A9D8-3663FA564E81",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*",
              "matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*",
              "matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*",
              "matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*",
              "matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*",
              "matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*",
              "matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*",
              "matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*",
              "matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*",
              "matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*",
              "matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha7:*:*:*:rust:*:*",
              "matchCriteriaId": "54AB158B-F536-4627-8C6B-65AEE112FDF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*",
              "matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*",
              "matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*",
              "matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*",
              "matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*",
              "matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*",
              "matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*",
              "matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*",
              "matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha8:*:*:*:rust:*:*",
              "matchCriteriaId": "F800AEB3-3AD7-42D8-BC3A-23703851435B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha9:*:*:*:rust:*:*",
              "matchCriteriaId": "5821FADC-CF73-4639-911A-F3302D239B7C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78."
    }
  ],
  "id": "CVE-2026-21862",
  "lastModified": "2026-02-23T20:26:41.903",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-03T16:16:12.753",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-21862 (GCVE-0-2026-21862)

GHSA-FC6G-2GCP-2QRQ

Summary

Details

PoC

Impact

Credits

FKIE_CVE-2026-21862

Tags

Sightings

Nomenclature