CVE-2026-27607: RustFS Upload Policy Bypass Opens Door to Storage Abuse and Unauthorized Object Writes

Aegiron 9 mins0

CVE-2026-27607

CVE ID: CVE-2026-27607
Product: RustFS (S3-compatible object storage)
Vulnerability Type: Policy Bypass / Upload Constraint Bypass
Affected Versions: 1.0.0-alpha.56 through 1.0.0-alpha.82
Patched Version: 1.0.0-alpha.83 and later
CVSS v3.1: 8.1 (High)
Severity: High
Attack Vector: Network
Privileges Required: None (if presigned POST exposed)
User Interaction: None
Exploit Complexity: Low
Exploit Availability: Public proof-of-concept code reported

Executive Summary

CVE-2026-27607 is a server-side validation failure in RustFS affecting its implementation of S3-compatible presigned POST uploads. The issue allows upload policy constraints to be bypassed. Restrictions defined in the upload policy — such as file size limits, object key prefix enforcement, and content-type validation — were not properly validated after submission.

As a result, malicious users could upload objects that violate the intended security boundaries. This could lead to storage exhaustion, unauthorized object placement, content-type spoofing, and possible data integrity compromise.

The flaw lies in incomplete enforcement of POST policy conditions during object write operations.

Technical Details

RustFS supports presigned POST uploads similar to Amazon S3. These POST requests include:

  • A base64-encoded policy document
  • Signature fields
  • Form-data fields (key, content-type, file, etc.)
  • Optional constraints like:
    • content-length-range
    • starts-with for object key
    • exact match on Content-Type

The vulnerability exists because the server accepted uploads without fully validating that the submitted request complied with all declared policy conditions.

Missing Validations Observed

  1. content-length-range not enforced
    • Uploads exceeding declared size limits were accepted.
  2. Object key prefix validation bypassed
    • Uploads could be written outside intended prefixes.
  3. Content-Type restriction ignored
    • Files could be uploaded with disallowed MIME types.
  4. Inconsistent signature-to-policy enforcement
    • Policy constraints were not strictly bound to server-side validation logic.

The system trusted the presigned request but failed to perform strict verification before committing the object to storage.

Impact

1. Storage Abuse

Large uploads beyond allowed thresholds could consume disk space rapidly, potentially leading to denial of service or billing impact in metered environments.

2. Namespace Violation

Attackers could upload objects outside intended directories or prefixes, possibly overwriting legitimate content.

3. Content-Type Spoofing

Malicious files could be disguised as allowed types (e.g., executable files uploaded as images).

4. Integrity and Availability Risk

If bucket policies assumed strict prefix control, this flaw could undermine application trust boundaries.

Exploitation Scenario (Educational)

The exploitation involves modifying multipart POST form fields while keeping a valid presigned structure.

Observed abuse patterns include:

  • Changing the key field to point outside the intended upload directory.
  • Uploading files exceeding declared content-length-range.
  • Altering Content-Type header to bypass application filtering.
  • Reusing valid presigned tokens for unintended object uploads.

No authentication bypass is required if the upload endpoint is publicly exposed with presigned tokens.

Indicators of Compromise (IOCs)

The following behavioral indicators may suggest exploitation:

  • Objects created outside expected prefixes.
  • Sudden increase in object size beyond application limits.
  • Mismatch between declared content-type and file signature.
  • High-frequency POST uploads from single IPs.
  • Anonymous uploads where authentication was expected.
  • Objects uploaded shortly after presigned token generation but violating intended constraints.

Detection Guidance

Log Sources to Monitor

  • RustFS application logs
  • Reverse proxy logs (NGINX, HAProxy, Traefik)
  • Cloud audit logs (PutObject events)
  • Object storage metadata logs
  • Host-level storage utilization metrics
  • WAF logs

Detection Queries

1. Oversized Upload Detection (Elastic / KQL)

http.request.method: "POST" AND 
url.path: "/postobject" AND 
http.request.body.bytes > 104857600

(Adjust threshold according to policy limits.)

2. Object Key Prefix Violation

event.action: "PutObject" AND 
NOT object.key.keyword: "expected-prefix/*"

3. Content-Type Mismatch Detection

event.action: "PutObject" AND 
file.mime_type != http.request.headers.content_type

4. Upload Frequency Abuse

event.action: "PutObject"
| stats count() by source.ip, bucket.name
| where count_ > 50

5. Suspicious Large Multipart Upload (Splunk)

index=rustfs_logs method=POST uri="/postobject"
| eval size=tonumber(content_length)
| where size > 104857600

6. Prefix Escape Detection (Splunk)

index=rustfs_logs event=PutObject
| search NOT key="allowed-prefix/*"

7. Network IDS Pattern (Suricata Rule Example)

alert http any any -> $HOME_NET any 
(msg:"RustFS Suspicious Large Multipart Upload"; 
flow:established,to_server; 
content:"POST"; http_method; 
content:"multipart/form-data"; http_header; 
dsize:>100000000; 
sid:42027607; rev:1;)

Threat Hunting Checklist

  • List objects uploaded during vulnerable period.
  • Compare object sizes against application upload policies.
  • Validate key prefixes against expected token-scoped directories.
  • Inspect uploaded files using file signature analysis.
  • Review presigned token issuance logs.
  • Check for sudden storage growth anomalies.

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1499 – Endpoint Denial of Service
  • T1530 – Data from Cloud Storage

Remediation

Immediate Actions

  1. Upgrade RustFS to patched version.
  2. Revoke all active presigned POST tokens.
  3. Rotate credentials used to generate presigned requests.
  4. Audit storage for unauthorized objects.
  5. Enforce strict upload quotas at reverse proxy level.

Official Patch / Upgrade Link

RustFS Release Containing Fix:
https://github.com/rustfs/rustfs/releases

Upgrade to 1.0.0-alpha.83 or later.

Hardening Recommendations

  • Enforce server-side object size validation independent of policy.
  • Implement strict prefix validation before object commit.
  • Enable content inspection using file magic, not only headers.
  • Apply rate limiting on upload endpoints.
  • Enable WAF body size limits.
  • Implement bucket-level quotas.
  • Monitor upload anomaly metrics continuously.

Risk Assessment

Organizations exposing RustFS presigned POST endpoints to external users are at higher risk. Environments relying on upload prefix isolation are particularly affected. Multi-tenant storage systems should treat this as critical.

If exploited, the vulnerability may not immediately produce visible errors, making log review essential.

Conclusion

CVE-2026-27607 represents a classic example of missing server-side enforcement of client-declared policy constraints. While presigned uploads provide convenience, they must never replace strict backend validation. Failure to enforce constraints at write time resulted in an exploitable condition that could impact storage integrity, availability, and operational cost.

Immediate patching and log review are strongly recommended.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.