How is CVE-2026-45042 exploited?

Network reachability (required): The attacker must reach the RustFS API over the network; the service is exposed via standard HTTP/S object-storage endpoints. Authentication (required): A low-privilege account with GetObject on a source bucket and PutObject on a destination bucket is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker operates entirely through API calls and does not need any other user to take action. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required.

What is the impact of CVE-2026-45042?

An attacker reads object data stored in source buckets that the destination bucket's policy was meant to restrict access to. Cross-bucket copy operations succeed silently, bypassing tenant or namespace isolation enforced through destination bucket policy rules. Sensitive objects such as credentials, backups, or customer records can be moved into attacker-accessible buckets without triggering policy-based controls.

Back to search

HIGHCVE-2026-45042Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-45042: RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An improper authorization flaw in RustFS, a distributed object storage system built in Rust, allows an authenticated user to copy objects between buckets without the destination bucket's copy-source policy being enforced. The flaw is reachable over the network with low-privilege credentials and no victim interaction. Successful exploitation lets an attacker read and move object data from source buckets into buckets that should not permit that copy source, bypassing tenant isolation controls. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle RustFS. Any image running a RustFS version earlier than 1.0.0-beta.2 is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment RustFS ships a release that resolves this issue. In the interim, the finding remains open and visible in each affected environment's remediation queue.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the RustFS API over the network; the service is exposed via standard HTTP/S object-storage endpoints.
AuthenticationRequired
A low-privilege account with GetObject on a source bucket and PutObject on a destination bucket is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker operates entirely through API calls and does not need any other user to take action.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required.

Blast Radius

An attacker reads object data stored in source buckets that the destination bucket's policy was meant to restrict access to.
Cross-bucket copy operations succeed silently, bypassing tenant or namespace isolation enforced through destination bucket policy rules.
Sensitive objects such as credentials, backups, or customer records can be moved into attacker-accessible buckets without triggering policy-based controls.

How HarborGuard Handles This

Available on HarborGuard: any image containing a RustFS build older than 1.0.0-beta.2 is flagged as affected and held in the open remediation queue. Because no upstream fix has been published yet, HarborGuard monitors the RustFS advisory on every ingest cycle and will generate a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is released. In the meantime, compensating controls worth considering include network-policy isolation that restricts which workloads can call the UploadPartCopy API endpoint, egress filtering to limit cross-bucket reachability at the network layer, and reviewing bucket policy configurations to reduce the number of low-privilege accounts that hold both GetObject and PutObject grants simultaneously.

See how HarborGuard automates this

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

rustfs / rustfs
< 1.0.0-beta.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-wfxj-ph3v-7mjf