CRITICAL9.8CVE-2025-68926RustFS has a gRPC Hardcoded Token Authentication Bypass >= 1.0.0-alpha.13, < 1.0.0-alpha.78
CRITICAL9.0CVE-2026-27822Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover from 0, < 1.0.0-alpha.83
HIGH8.3CVE-2026-40937RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks from 0, <= 0.0.2
HIGH8.1RustFS: Missing Post Policy Validation leads to Arbitrary Object Write
>= 1.0.0-alpha.56, < 1.0.0-alpha.83
MEDIUM4.3RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration
from 0, <= 0.0.2
—RustFS Logs Sensitive Credentials in Plaintext
>= 1.0.0-alpha.13, < 1.0.0-alpha.82
—RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers
from 0, < 1.0.0-alpha.78
—RustFS's RPC signature verification logs shared secret
>= 1.0.0-alpha.1, < 1.0.0-alpha.80
—RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting
>= 1.0.0-alpha.13, < 1.0.0-alpha.79
—RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation
from 0, < 1.0.0-alpha.79
—RustFS gRPC GetMetrics deserialization panic enables remote DoS
>= 1.0.0-alpha.13, < 1.0.0-alpha.78
—RustFS Path Traversal Vulnerability
>= 1.0.0-alpha.13, < 1.0.0-alpha.79