Home / Vulnerability Intelligence / CVE-2026-27607

CVE-2026-27607 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: February 25, 2026

RustFS - Broken Access Control

Published: February 25, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

RustFS 1.0.0-alpha.56 through 1.0.0-alpha.82 contains a broken access control vulnerability caused by lack of validation of policy conditions in presigned POST uploads, letting attackers bypass content-length, key, and content-type constraints to upload unauthorized files.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 8.2%(Probability of exploitation in next 30 days)

Impact

Attackers can upload unauthorized files exceeding size limits or to arbitrary keys, leading to storage exhaustion and unauthorized data access.

Mitigation

Upgrade to version 1.0.0-alpha.83 or later.

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-w5fh-f8xh-5x3p

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🟠 CVE-2026-27607 - High (8.1) RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, s... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27607/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/nikeee/CVE-2026-27607

Related Resources

Details

CVE ID: CVE-2026-27607
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: confirmed
EPSS: 8.2%
Social Posts: 1

CWE

CWE-20
CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score

8.2%Probability of exploitation in the next 30 days