rustfs (crates.io) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the crates.io package rustfs, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2026-22043 — CVSS 9.8 (critical): RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only`…
CVE-2025-68926 — CVSS 9.8 (critical): RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication…
CVE-2025-68705 — CVSS 9.8 (critical): RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal…
CVE-2026-27822 — CVSS 9.0 (critical): RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS)…
CVE-2026-22042 — CVSS 8.8 (high): RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates…
CVE-2026-40937 — CVSS 8.3 (high): RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in…
CVE-2026-27607 — CVSS 8.1 (high): RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate…
CVE-2026-22782 — CVSS 7.5 (high): RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the…
CVE-2026-24762 — CVSS 7.5 (high): RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material…
CVE-2026-21862 — CVSS 7.5 (high): RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed…
CVE-2026-39360 — CVSS 4.3 (medium): RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the…
CVE-2025-69255 — CVSS 4.0 (medium): RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics…