Critical XSS Flaw Disclosed in RustFS for S3 Storage

The vulnerability, tracked as CVE-2026-27822, carries a critical CVSS score of 10.0. It specifically affects versions of the RustFS console prior to 1.0.0-alpha.83. The recommended mitigation is to update to the patched version, 1.0.0-alpha.83, which resolves the issue. The exploit is possible due to two main issues: the insecure storage of S3 credentials (AccessKey, SecretKey, and SessionToken) in the browser's localStorage, and the lack of origin separation between the management console and the S3 API, which are often hosted on the same origin. This setup creates a same-origin vulnerability that allows scripts in an iframe to access the parent window's data. An attacker can execute this stored cross-site scripting attack by uploading a malicious HTML file containing JavaScript but naming it with a benign extension like `.pdf`. By setting the file's `Content-Type` metadata to `text/html`, an attacker can bypass the preview logic, which fails to strictly validate the actual content type being served in an `<iframe>`. Once the malicious script is executed within the context of the management console, it can steal the administrator's S3 credentials from localStorage. This leads to a full administrative account takeover, granting the attacker the ability to delete data, create backdoors, or download the entire filesystem using the S3 API. RustFS is a high-performance, open-source object storage system written in Rust and designed to be a fast alternative to MinIO. It is 100% S3 protocol compatible and often used for AI/ML workloads, analytics, code repositories, and backups in cloud-native environments. Beyond updating, long-term security improvements suggested include implementing origin separation by hosting the management console and data delivery on different domains. As a temporary workaround, users can avoid the preview feature for files from untrusted sources and implement stricter server-side content type validation.