CVE-2026-45042
RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2.
| CWE | CWE-863 |
| Vendor | rustfs |
| Product | rustfs |
| Published | May 28, 2026 |
| Last Updated | May 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for rustfs rustfs
Be the first to know when new unknown vulnerabilities affecting rustfs rustfs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
rustfs / rustfs
< 1.0.0-beta.2