Back to search
CVE-2026-21862
Published: Feb 3, 2026
Modified: Feb 3, 2026
PUBLISHED
Description
RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78.
| Vendor | Product | Versions |
|---|---|---|
rustfs | rustfs | affected < alpha.78 |
Weaknesses (CWE)
References
https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now