A newly disclosed vulnerability in the RustFS Console has been classified as a critical stored XSS flaw, enabling attackers to steal admin S3 credentials and seize complete control of storage environments. Tracked as CVE‑2026‑27822, this bug allows malicious files to execute JavaScript inside the console’s origin—effectively bypassing isolation protections and granting access to sensitive AWS‑style keys stored in the browser.

Because RustFS hosts its management console and S3 API under the same origin, this issue exposes organizations to severe data theft, bucket deletion, unauthorized uploads, and full infrastructure compromise.

This article breaks down how the vulnerability works, why it’s so dangerous, and what security teams must do immediately.

What Is the RustFS Stored XSS Vulnerability?

The RustFS flaw, published under GHSA‑v9fg‑3cr2‑277j, affects all versions prior to 1.0.0‑alpha.82 and stems from unsafe rendering in the file preview modal located in:

console/components/object/preview-modal.vue

The root issue:

RustFS displays untrusted file content in an iframe without validating content‑types or isolating origins.

Attackers can upload files disguised as PDFs, but with HTML content and a text/html Content‑Type, allowing arbitrary JavaScript to execute when an administrator previews the file.

This malicious script runs in the same origin as the RustFS Console, giving it full access to:

localStorage
RustFS admin authentication tokens
S3 credentials (AccessKeyId, SecretAccessKey, SessionToken)

Why the Same-Origin Setup Made This Critical

RustFS hosts its S3 API and console UI under one origin. This design flaw creates a high‑risk overlap:

Untrusted files → rendered in iframe
Iframe shares origin with the console
Attacker’s script gains admin-level browser privileges

Once JavaScript runs, the attacker immediately gets:

Admin S3 access
Session tokens
Ability to impersonate admins
Permission to delete buckets
Power to exfiltrate entire S3 datasets
Capability to plant malicious backdoors

This transforms a simple XSS bug into a full storage-system takeover.

Vulnerability Breakdown

Attack Location: File Preview Modal

The vulnerable component loads PDFs inside an iframe, but never checks:

MIME type
File extension authenticity
Content sanitization
Security headers

Stored XSS Execution Path

Attacker uploads a malicious file named xss.pdf, containing HTML + JS
File metadata sets: Content-Type: text/html
Admin previews the file in RustFS Console
iframe loads attacker-controlled HTML
JavaScript executes in same origin as the console
Script extracts S3 credentials from localStorage

Sensitive Data Stored in Browser

RustFS stores credentials in composables/useAuth.ts:

AccessKeyId
SecretAccessKey
SessionToken

No encryption, sandboxing, or isolation protects these values from script access.

Technical Details (CVE‑2026‑27822)

Field	Details
CVE ID	CVE‑2026‑27822
Severity	Critical
CVSS Score	9.9 / 10
Vector	Network, Stored XSS
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required (admin preview)
Affected Versions	< 1.0.0‑alpha.82
Patched Version	1.0.0‑alpha.83

This combination—stored XSS + admin interaction + changed scope—creates an extremely high‑impact vulnerability in shared environments.

Proof-of-Concept Attack (As Published)

1. Create XSS Payload

HTML

alert(‘XSS Success!\nLocalStorage Data: ‘ +

JSON.stringify(window.parent.localStorage)

);

</script>
Show more lines

2. Upload File Disguised as PDF

Shell

mc cp xss.html rustfs/my-bucket/xss.pdf –attr “Content-Type=text/html”
Show more lines

3. Admin Opens Preview

Once the admin views xss.pdf in the console:

iframe loads malicious HTML
JavaScript accesses window.parent.localStorage
Admin’s S3 credentials are displayed or exfiltrated

A PoC screenshot shows credentials successfully stolen.

Impact Analysis: Full S3 Takeover

Once the attacker has S3 credentials:

They can perform any S3 action

Delete buckets
Exfiltrate massive datasets
Upload malicious objects
Replace business‑critical files
Inject persistence mechanisms
Execute supply‑chain attacks via poisoned artifacts

They can impersonate admins

With session tokens, attackers can reauthenticate and maintain long‑term access.

They can pivot deeper

Stolen credentials may unlock:

CI/CD pipelines
Backups
Object versioning
Data lake infrastructure

This vulnerability allows attackers to escalate from a single malicious upload to enterprise‑wide compromise.

Best Practices: How to Defend Against This Vulnerability

1. Upgrade Immediately

Patch to RustFS 1.0.0‑alpha.83.

2. Implement Origin Isolation

Host components under different domains:

Console → console.rustfs.io
S3 API → data.rustfs.io

Prevents iframe content from accessing admin data.

3. Add Critical Security Headers

Content-Security-Policy: block inline scripts and cross-origin loads
X-Content-Type-Options: nosniff: prevents MIME confusion
X-Frame-Options / frame-ancestors: reduces iframe risks

4. Validate File Types Server-Side

Reject or sanitize:

Unexpected MIME types
HTML disguised as PDFs
Files with mismatched extensions

5. Sanitize Preview Content

All previewed content must be:

Isolated
Sandboxed
Rendered with strict sandbox="" flags

6. Monitor Logs

Audit:

File previews
Unusual object uploads
Unauthorized S3 activity
Credential reuse

Detection and Incident Response Steps

Immediate Actions

Rotate AccessKeyId, SecretAccessKey, and SessionToken
Review S3 bucket access logs
Identify previously previewed suspicious files
Check for unexpected bucket deletions or modifications

Hunt for Indicators

Unrecognized xss.pdf or similar uploads
Metadata spoofing (Content-Type=text/html)
Unusual admin logins or API calls

Containment

Revoke compromised credentials
Disable vulnerable preview endpoints
Force logout sessions storing outdated tokens

FAQs

1. Does this vulnerability require admin privileges?

No. The attacker needs only low-privilege upload access; the admin triggers the attack during preview.

2. Can this be exploited remotely?

Yes. The attack works over the network.

3. What makes the impact so severe?

Same-origin behavior + XSS → direct access to S3 credentials.

4. Is there a patch available?

Yes, fixed in 1.0.0‑alpha.83.

5. What is the simplest mitigation?

Separate the S3 API and console into distinct domains and apply CSP.

Conclusion

CVE‑2026‑27822 demonstrates how stored XSS in privileged admin interfaces can escalate into catastrophic cloud‑storage compromise. RustFS’s same‑origin design amplified the severity, enabling full credential theft and S3 takeover with a single malicious upload.

Organizations must patch immediately, rotate compromised keys, enforce origin isolation, and introduce strong content-type validation to prevent similar failures.