Security Advisory

CVE-2026-21862

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-03 16:06:08

Last updated 2026-02-03 17:10:32

Assigner GitHub_M

State PUBLISHED

Description

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78.

← Browse all CVEs View on cve.org ↗