Platform
rust
Component
rustfs
Fixed in
1.0.1
1.0.0-alpha.83
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the RustFS Console, allowing attackers to execute arbitrary JavaScript within the management console. This vulnerability stems from improper validation during the file preview process, potentially enabling credential theft and subsequent system compromise. The vulnerability impacts versions prior to 1.0.0-alpha.83, and a fix is available in version 1.0.0-alpha.83.
The impact of this XSS vulnerability is significant. An attacker can exploit it to inject malicious JavaScript code into the RustFS Console, which will then be executed in the context of a user's browser. This allows the attacker to steal administrator credentials stored in localStorage, effectively gaining full control over the system. The attacker could then modify configurations, access sensitive data, or even launch further attacks against other systems connected to the RustFS infrastructure. The lack of origin separation between S3 object delivery and the management console exacerbates the risk, making it easier for attackers to bypass security measures.
Public details regarding this vulnerability were published on 2026-02-25. While no public proof-of-concept (PoC) has been released at the time of writing, the severity of the vulnerability (CVSS 9.0) and the potential for account takeover suggest a high probability of exploitation. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27822 is to immediately upgrade to RustFS Console version 1.0.0-alpha.83 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block suspicious file preview requests. Additionally, review and strengthen the security of your localStorage implementation to minimize the impact of credential theft. Regularly audit file preview functionality for potential vulnerabilities. After upgrading, confirm the fix by attempting to upload a malicious file designed to trigger the XSS vulnerability and verifying that the script is not executed.
Update RustFS to version 1.0.0-alpha.83 or higher. This version fixes the stored XSS vulnerability in the preview modal, preventing potential administrative account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27822 is a critical Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console that allows attackers to execute JavaScript and potentially steal administrator credentials.
You are affected if you are using RustFS Console versions prior to 1.0.0-alpha.83. Assess your environment immediately to determine if you are vulnerable.
Upgrade to RustFS Console version 1.0.0-alpha.83 or later. As a temporary workaround, implement a WAF to block suspicious file preview requests.
While no active exploitation has been publicly confirmed, the high severity of the vulnerability suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official RustFS security advisory for detailed information and updates regarding CVE-2026-27822.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.