Vulnerabilities ›

CVE-2026-21862

High

CWE-290 — Weakness Type

                    Published: Feb 3, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78.

🤖 AI Executive Summary

RustFS versions prior to alpha.78 contain a critical IP-based access control bypass vulnerability (CVE-2026-21862) where the get_condition_values function trusts unsanitized X-Forwarded-For and X-Real-Ip headers without verifying trusted proxy sources. This allows unauthenticated attackers to spoof source IP addresses and circumvent IP-allowlist policies, potentially gaining unauthorized access to distributed object storage systems. Organizations using RustFS for sensitive data storage must immediately upgrade to alpha.78 or implement strict proxy validation controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 19:27

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations utilizing RustFS for distributed storage, particularly in: (1) Banking sector (SAMA-regulated institutions) storing customer financial data and transaction records; (2) Government agencies (NCA, CITC) managing classified and sensitive citizen data; (3) Healthcare providers (MOH, private hospitals) handling patient medical records; (4) Energy sector (ARAMCO, SEC) managing operational and exploration data; (5) Telecommunications (STC, Mobily, Zain) storing subscriber information. The IP spoofing capability enables unauthorized access to restricted data repositories, potentially violating SAMA CSF, NCA ECC 2024, and data protection requirements under PDPL.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Data Centers and Cloud Services Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1021 - Remote Services (unauthorized access via spoofed IP) T1078 - Valid Accounts (leveraging IP allowlist bypass) T1190 - Exploit Public-Facing Application (header manipulation) T1556 - Modify Authentication Process (IP-based auth bypass) T1562 - Impair Defenses (circumventing access controls) T1040 - Network Sniffing (potential header interception) T1570 - Lateral Tool Transfer (accessing restricted storage)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all RustFS deployments running versions alpha.1 through alpha.77 across your infrastructure

2. Assess which systems contain sensitive data subject to IP-based access controls

3. Implement emergency network segmentation to restrict RustFS access to known, verified IP ranges only

PATCHING GUIDANCE:

1. Upgrade all affected RustFS instances to version alpha.78 or later immediately

2. Test patches in non-production environments first to ensure compatibility

3. Coordinate upgrades during maintenance windows to minimize service disruption

4. Verify patch application by checking version numbers post-deployment

COMPENSATING CONTROLS (if immediate patching not possible):

1. Deploy WAF/reverse proxy rules to validate and sanitize X-Forwarded-For and X-Real-Ip headers

2. Configure proxy to only accept these headers from explicitly trusted upstream proxies

3. Implement strict IP allowlisting at network perimeter (firewall rules)

4. Disable X-Forwarded-For and X-Real-Ip header processing if not required

5. Enforce mutual TLS (mTLS) authentication as additional access control layer

DETECTION RULES:

1. Monitor RustFS logs for requests with X-Forwarded-For/X-Real-Ip headers from unexpected sources

2. Alert on IP addresses in headers that don't match source connection IP

3. Track failed authentication attempts followed by successful access from different IPs

4. Implement SIEM rules to detect rapid IP spoofing attempts across multiple requests

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نشرات RustFS التي تعمل بالإصدارات alpha.1 إلى alpha.77 عبر البنية التحتية

2. تقييم أي الأنظمة تحتوي على بيانات حساسة تخضع للتحكم بالوصول القائم على عناوين IP

3. تطبيق تقسيم الشبكة الطارئ لتقييد الوصول إلى RustFS بنطاقات عناوين IP معروفة ومتحققة فقط

إرشادات التصحيح:

1. ترقية جميع نسخ RustFS المتأثرة إلى الإصدار alpha.78 أو أحدث فوراً

2. اختبار التصحيحات في بيئات غير الإنتاج أولاً لضمان التوافقية

3. تنسيق الترقيات خلال نوافذ الصيانة لتقليل انقطاع الخدمة

4. التحقق من تطبيق التصحيح بفحص أرقام الإصدار بعد النشر

عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. نشر قواعد WAF/reverse proxy للتحقق من صحة وتنظيف رؤوس X-Forwarded-For و X-Real-Ip

2. تكوين الوكيل لقبول هذه الرؤوس من وكلاء المنبع الموثوقة بشكل صريح فقط

3. تطبيق قوائم السماح بعناوين IP الصارمة على محيط الشبكة (قواعد جدار الحماية)

4. تعطيل معالجة رؤوس X-Forwarded-For و X-Real-Ip إذا لم تكن مطلوبة

5. فرض المصادقة المتبادلة TLS (mTLS) كطبقة تحكم وصول إضافية

قواعد الكشف:

1. مراقبة سجلات RustFS للطلبات التي تحتوي على رؤوس X-Forwarded-For/X-Real-Ip من مصادر غير متوقعة

2. التنبيه على عناوين IP في الرؤوس التي لا تطابق عنوان IP لاتصال المصدر

3. تتبع محاولات المصادقة الفاشلة متبوعة بالوصول الناجح من عناوين IP مختلفة

4. تطبيق قواعد SIEM للكشف عن محاولات تزييف عناوين IP السريعة عبر طلبات متعددة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Access Control Policy (IP-based access controls circumvented) 5.1.2 - User Registration and De-registration (unauthorized access via IP spoofing) 5.2.1 - User Access Management (authentication bypass through header manipulation) 5.3.1 - Password Management (if IP controls are primary authentication layer) 6.1.1 - Information Security Incident Management (breach detection and response)

🔵 SAMA CSF

AC-2: Account Management and Access Controls AC-3: Access Enforcement (IP-based policies not properly enforced) AC-4: Information Flow Enforcement AU-2: Audit and Accountability (logging of spoofed access attempts) SC-7: Boundary Protection (network perimeter controls)

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security (access control policies) A.5.2.1 - User registration and access rights management A.5.3.1 - Management of privileged access rights A.6.1.1 - Information security roles and responsibilities A.8.1.1 - User endpoint devices (client-side header manipulation) A.8.3.1 - Segregation of networks

🟣 PCI DSS v4.0.1

Requirement 1.2.1 - Firewall configuration standards (IP-based access controls) Requirement 2.2.4 - Configure system security parameters Requirement 6.5.10 - Broken authentication (header-based authentication bypass) Requirement 7.1 - Limit access to system components by business need-to-know

🔗 References & Sources 1

🔗

https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 50 entries

rustfs:rustfs:1.0.0

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-290

EPSS0.04%

Exploit No

Patch ✓ Yes

Published 2026-02-03

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-290

🏢 Vendor Advisories

🔗 https://github.com/rustfs/rustfs/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-21862

💬 Comments

Introduce Yourself

Sign In Required