{"id":"CVE-2026-46685","summary":"RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console","details":"RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.","aliases":["GHSA-x5xv-223c-8vm7"],"modified":"2026-07-08T08:13:38.109738608Z","published":"2026-05-28T18:41:35.789Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46685.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-306","CWE-346","CWE-942"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46685.json"},{"type":"ADVISORY","url":"https://github.com/rustfs/rustfs/security/advisories/GHSA-x5xv-223c-8vm7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46685"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rustfs/rustfs","events":[{"introduced":"0"},{"fixed":"9f07029373af3c989bb26ac98a7df2c086b37c5c"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.0.0-beta.2"}]}}],"versions":["v1.0.0-beta.1","1.0.0-beta.1","1.0.0-alpha.99","1.0.0-alpha.98","1.0.0-alpha.97","1.0.0-alpha.96","1.0.0-alpha.95","1.0.0-alpha.94","1.0.0-alpha.93","1.0.0-alpha.92","1.0.0-alpha.91","1.0.0-alpha.90","1.0.0-alpha.89","1.0.0-alpha.88","1.0.0-alpha.87","1.0.0-alpha.86","1.0.0-alpha.85","1.0.0-alpha.84","1.0.0-alpha.83","1.0.0-alpha.82","1.0.0-alpha.81","1.0.0-alpha.80","1.0.0-alpha.79","1.0.0-alpha.78","1.0.0-alpha.77","1.0.0-alpha.76","1.0.0-alpha.75","1.0.0-alpha.74","1.0.0-alpha.73","1.0.0-alpha.72","1.0.0-alpha.71","1.0.0-alpha.70","1.0.0-alpha.69","1.0.0-alpha.68","1.0.0-alpha.67","1.0.0-alpha.66","1.0.0-alpha.65","1.0.0-alpha.64","1.0.0-alpha.63","1.0.0-alpha.62","1.0.0-alpha.61","1.0.0-alpha.60","1.0.0-alpha.59","1.0.0-alpha.58","1.0.0-alpha.57","1.0.0-alpha.56","1.0.0-alpha.55","1.0.0-alpha.54","1.0.0-alpha.53","1.0.0-alpha.52","1.0.0-alpha.51","1.0.0-alpha.50","1.0.0-alpha.49","1.0.0-alpha.48","1.0.0-alpha.47","1.0.0-alpha.46","1.0.0-alpha.45","1.0.0-alpha.44","1.0.0-alpha.43","1.0.0-alpha.42","1.0.0-alpha.41","1.0.0-alpha.40","1.0.0-alpha.39","1.0.0-alpha.38","1.0.0-alpha.37","1.0.0-alpha.36","1.0.0-alpha.35","1.0.0-alpha.34","1.0.0-alpha.33","1.0.0-alpha.32","1.0.0-alpha.31","1.0.0-alpha.30","1.0.0-alpha.29","1.0.0-alpha.28","1.0.0-alpha.27","1.0.0-alpha.26","1.0.0-alpha.25","1.0.0-alpha.24","1.0.0-alpha.23","1.0.0-alpha.22","1.0.0-alpha.21","1.0.0-alpha.20","1.0.0-alpha.19","1.0.0-alpha.18","1.0.0-alpha.17","1.0.0-alpha.16","1.0.0-alpha.15","1.0.0-alpha.14","1.0.0-alpha.13","1.0.0-alpha.12","1.0.0-alpha.11","1.0.0-alpha.10","1.0.0-alpha.9","1.0.0-alpha.8","1.0.0-alpha.7","1.0.0-alpha.6","1.0.0-alpha.5","1.0.0-alpha.4","1.0.0-alpha.3","1.0.0-alpha.2","1.0.0-alpha.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46685.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}]}