CVE-2026-21862: RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

February 3, 2026

IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.

References

github.com/advisories/GHSA-fc6g-2gcp-2qrq
github.com/rustfs/rustfs
github.com/rustfs/rustfs/commit/b4ba62fa3300b5b258fdc0da141481e3be7ea960
github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq
nvd.nist.gov/vuln/detail/CVE-2026-21862

Code Behaviors & Features

Detect and mitigate CVE-2026-21862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →