A critical security flaw has been identified in the RustFS Console, exposing administrators to a high risk of account takeover.
Tracked as CVE-2026-27822, this Stored Cross-Site Scripting (XSS) vulnerability carries a critical CVSS v3 score of 10.0 and affects versions of the Rust package before 1.0.0-alpha.82.
The vulnerability allows an attacker to execute arbitrary JavaScript within the context of the management console, potentially leading to complete system compromise.
The vulnerability stems from two primary issues: improper validation of response content types during file previews and the lack of origin separation between S3 object delivery and the management console.
RustFS typically hosts both the management console and the S3 API on the same origin (IP and port). This setup creates a Same-Origin vulnerability.
| Technical Metric | Vulnerability Details |
|---|---|
| CVE ID | CVE-2026-27822 |
| GitHub Advisory | GHSA-v9fg-3cr2-277j |
| Vulnerability Type | Stored Cross-Site Scripting (XSS) |
| Patched Version | 1.0.0-alpha.83 |
| Severity Score | Critical (/ 10) |
When a file is previewed, the application uses an to render content based on the file extension. However, it fails to strictly validate the actual content type being served.
The Attack Mechanism
The RustFS Console insecurely stores highly sensitive S3 credentials, including the AccessKey, SecretKey, and SessionToken, in the browser’s localStorage.
Because the used for the preview is hosted on the same origin as the console itself, any script executing within that frame has unrestricted access to the parent window’s data.
According to RustFS, an attacker can exploit this by uploading a malicious file, for example, an HTML file containing JavaScript, but naming it with a .pdf extension.
Crucially, the attacker must set the file’s Content-Type metadata to text/html. When an administrator attempts to preview this seemingly harmless PDF file, the browser interprets the content as HTML and executes the embedded JavaScript.
A proof-of-concept (PoC) demonstrates the simplicity of this attack.
- An attacker creates a payload like
. - They upload this file to a target bucket, ensuring the name is
xss.pdfand the attribute is--attr "Content-Type=text/html". - When an administrator logs into the RustFS Console and clicks “Preview” on
xss.pdf, the JavaScript executes, instantly stealing thelocalStoragedata containing the administrative credentials.
Impact and Mitigation
The impact of this Stored XSS vulnerability is severe. By stealing the victim’s S3 credentials, the attacker achieves full Account Takeover (ATO).
This grants them the ability to perform any administrative action, such as deleting data, creating backdoors, or downloading the entire filesystem via the S3 API.
To mitigate this critical threat, RustFS users must update to the patched version, 1.0.0-alpha.83. Additionally, security experts propose the following long-term solutions:
- Origin Separation: Implement a dedicated domain for data delivery that differs from the console domain to leverage the Same-Origin Policy (SOP).
- Security Headers: Enforce strict security headers in the backend, such as a Content-Security-Policy (CSP) to restrict script execution, and
X-Content-Type-Options: nosniffto prevent browsers from executing content that contradicts the declared type.
Administrators are urged to apply the patch immediately to secure their RustFS deployments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
