CVE-2026-21862 – This vulnerability allows attackers to bypass I... (How to Fix)

Q: What is the severity of CVE-2026-21862?

CVE-2026-21862 has a CVSS score of N/A (Unknown). This vulnerability allows attackers to bypass IP-based access controls in RustFS by spoofing their IP address using HTTP headers. Any client that can reach the RustFS service can impersonate allowed IP addresses and access restricted resources. This affects all RustFS deployments using IP allowlist policies before version alpha.78.

📋 TL;DR

This vulnerability allows attackers to bypass IP-based access controls in RustFS by spoofing their IP address using HTTP headers. Any client that can reach the RustFS service can impersonate allowed IP addresses and access restricted resources. This affects all RustFS deployments using IP allowlist policies before version alpha.78.

💻 Affected Systems

Products:

RustFS

Versions: All versions prior to alpha.78

Operating Systems: All platforms running RustFS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using IP-based access control policies. Systems not using IP allowlists are not vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive stored data, data exfiltration, or service disruption if attackers bypass IP restrictions to access administrative functions.

🟠

Likely Case

Attackers bypass IP restrictions to access data they shouldn't have access to, potentially exposing sensitive information stored in the object storage system.

🟢

If Mitigated

Limited impact if additional authentication layers or network segmentation are in place, but IP-based controls remain ineffective.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the RustFS service but no authentication. Attackers can simply send crafted HTTP headers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: alpha.78

Vendor Advisory: https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq

Restart Required: Yes

Instructions:

1. Update RustFS to version alpha.78 or later. 2. Restart the RustFS service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Configure Reverse Proxy Validation

all

Configure a reverse proxy to strip or validate X-Forwarded-For and X-Real-Ip headers before they reach RustFS.

# Configure nginx: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Configure Apache: RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR}

Disable IP-Based Access Control

all

Temporarily disable IP allowlist policies and rely on other authentication mechanisms.

# Edit RustFS configuration to remove IP-based policies

🧯 If You Can't Patch

Implement network-level IP filtering at firewall or load balancer
Add additional authentication layer (API keys, tokens) for all access

🔍 How to Verify

Check if Vulnerable:

Check RustFS version. If version is earlier than alpha.78 and IP-based access control is enabled, the system is vulnerable.

Check Version:

rustfs --version

Verify Fix Applied:

After updating to alpha.78 or later, test that IP spoofing via X-Forwarded-For headers no longer bypasses access controls.

📡 Detection & Monitoring

Log Indicators:

Requests from unexpected IP addresses accessing restricted resources
Multiple IP addresses in X-Forwarded-For headers

Network Indicators:

HTTP requests with crafted X-Forwarded-For headers to RustFS endpoints

SIEM Query:

source="rustfs" AND (http_header="X-Forwarded-For" OR http_header="X-Real-Ip") AND status=200 AND resource="restricted_endpoint"

📊 Metadata

CVE ID: CVE-2026-21862

CVSS v3 Score: N/A (Unknown)

CWE: CWE-290

Published: February 3, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21862, you might also want to check these: