Trust Issues: The RustFS IP Spoofing Bypass (CVE-2026-21862)

Vulnerability ID: CVE-2026-21862
CVSS Score: 7.7
Published: 2026-02-03

RustFS, a distributed object storage system designed for safety and performance, fell victim to one of the oldest tricks in the book: trusting client input. Prior to version alpha.78, the system determined a user's source IP address by blindly believing the 'X-Forwarded-For' header. This allowed attackers to bypass IP-based Access Control Lists (ACLs) by simply asking nicely—or rather, by spoofing a trusted IP address in their HTTP headers.

TL;DR

RustFS allowed attackers to bypass IP allowlists by spoofing the 'X-Forwarded-For' header. Fixed in alpha.78 by validating against the actual TCP socket address.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-290
• Attack Vector: Network (Layer 7)
• CVSS v4.0: 7.7 (High)
• Impact: Authorization Bypass
• Exploit Status: Proof of Concept (PoC) Available
• Components: get_condition_values (auth.rs)

Affected Systems

• RustFS < alpha.78
• RustFS: < alpha.78 (Fixed in: alpha.78)

Code Analysis

Commit: b4ba62f

fix: use remote addr from socket instead of header

- let remote_addr = header.get("x-forwarded-for")...
+ let remote_addr = socket.peer_addr()...

Exploit Details

• Manual: curl -H 'X-Forwarded-For: '

Mitigation Strategies

• Update RustFS to version >= alpha.78
• Configure edge firewalls/WAFs to strip X-Forwarded-For headers from untrusted sources
• Implement strict mutual TLS (mTLS) instead of relying solely on IP allowlists

Remediation Steps:

1. Identify all instances of RustFS running versions < alpha.78.
2. Pull the latest docker image or compile from source (tag: alpha.78).
3. Restart the RustFS service.
4. Verify the fix by attempting to spoof a known allowed IP using curl: curl -H 'X-Forwarded-For: <allowed_ip>' <target>.

References

• GHSA Advisory
• NVD Detail

Read the full report for CVE-2026-21862 on our website for more details including interactive diagrams and full exploit analysis.