CVE-2026-39360

Summary

RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration

Severity

medium

EPSS

0.2% (p10)

Also known as

GHSA-mx42-j6wv-px98

Published

2026-04-08

References

• https://github.com/rustfs/rustfs/security/advisories/GHSA-mx42-j6wv-px98
• https://nvd.nist.gov/vuln/detail/CVE-2026-39360
• https://github.com/rustfs/rustfs

Related advisories

• CVE-2026-27822 — critical · crates.io/rustfs
• CVE-2025-68926 — critical · crates.io/rustfs
• GHSA-mm2q-qcmx-gw4w — high · crates.io/rustfs
• CVE-2026-40937 — high · crates.io/rustfs
• CVE-2026-27607 — high · crates.io/rustfs
• CVE-2026-21862 — high · crates.io/rustfs
• CVE-2025-68705 — high · crates.io/rustfs
• CVE-2026-24762 — medium · crates.io/rustfs

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity