Stored XSS Flaw in RustFS Console Leaks Admin S3 Credentials

A severe stored cross-site scripting (XSS) flaw in the RustFS Console lets attackers steal admin S3 credentials, enabling full account takeovers.

Published three days ago via GHSA-v9fg-3cr2-277j by overtrue, this vulnerability affects versions before 1.0.0-alpha.82.

RustFS, a Rust-based file system with S3 compatibility, hosts its management console and S3 API on the same origin, creating a dangerous overlap.

Vulnerability Breakdown

The issue hides in the preview modal (console/components/object/preview-modal.vue). It renders files like PDFs in an iframe without proper content-type checks.

Attackers upload a file named “xss.pdf” with HTML content and text/html metadata. When admins preview it, the iframe, same origin as the console, runs malicious JavaScript.

This script accesses the parent window’s localStorage, where RustFS stores sensitive S3 data: AccessKeyId, SecretAccessKey, and SessionToken (see composables/useAuth.ts lines 14 and 18-25). No origin isolation or security headers block this bypass.

Field	Details
CVE ID	CVE-2026-27822
Severity	Critical
CVSS v3.1 Score	9.9/10 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
Attack Vector	Network
Affected Versions	< 1.0.0-alpha.82
Patched Versions	1.0.0-alpha.83
Weaknesses	Stored XSS

Proof-of-Concept Attack

1. Craft payload: <script>alert('XSS Success!nLocalStorage Data: ' + JSON.stringify(window.parent.localStorage));</script> as xss.html.
2. Upload via MinIO client: mc cp xss.html rustfs/my-bucket/xss.pdf --attr "Content-Type=text/html".
3. Admin previews file in console script, dumps credentials.

A screenshot PoC shows the alert with stolen localStorage data.

Admins face a full takeover. Attackers gain S3 control to delete buckets, exfiltrate data, or plant backdoors.

Low complexity (network access, low privileges, required interaction), but changed scope amplifies risk in shared environments.

• Upgrade to 1.0.0-alpha.83 immediately.
• Separate origins: Host S3 data on a distinct domain (e.g., data.rustfs.io) to enforce Same-Origin Policy.
• Add headers: Content-Security-Policy to block scripts; X-Content-Type-Options: nosniff.
• Validate file types server-side and sanitize previews.

RustFS users should audit logs for suspicious previews. Credits to reporter naoyashiga on GitHub.

Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Stored XSS Flaw in RustFS Console Leaks Admin S3 Credentials appeared first on Cyber Security News.