Introduction

A critical security flaw has been identified in the RustFS Console, exposing administrators to a high risk of account takeover. This Stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-27822, affects versions of the Rust package before 1.0.0-alpha.83 and carries a critical CVSS v3 score of 10.0.

Vulnerability Details

The vulnerability allows an attacker to execute arbitrary JavaScript within the context of the management console, potentially leading to complete system compromise. This issue arises from two primary problems: improper validation of response content types during file previews and a lack of origin separation between S3 object delivery and the management console.

Attack Mechanism

RustFS typically hosts both the management console and the S3 API on the same origin (IP and port), creating a Same-Origin vulnerability. The application uses an <iframe> to render content based on file extensions, but it fails to strictly validate the actual content type being served.

The attacker can exploit this by uploading a malicious file, such as an HTML file containing JavaScript, but naming it with a .pdf extension. By setting the file’s Content-Type metadata to text/html, when an administrator attempts to preview what seems like a harmless PDF file, the browser interprets the content as HTML and executes any embedded JavaScript.

Demonstration of Vulnerability

A proof-of-concept (PoC) demonstrates how simple this attack can be. An attacker creates a payload like <script>alert('XSS Success!\nLocalStorage Data: ' + JSON.stringify(window.parent.localStorage));</script>. They upload this file to a target bucket, ensuring the name is xss.pdf and setting the attribute as –attr

元記事: https://gbhackers.com/stored-xss-vulnerability-in-rustfs-console-puts-s3-admin-credentials-at-risk/