External risk intelligence

RustFS Console Stored XSS Exposes Cloud Credentials.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-62378

The vulnerability exists in a web-based management console for a distributed file system. Such consoles are commonly deployed as web applications intended for administrative access, which are frequently exposed as internet-facing or edge services for remote management, making them reachable via the public internet in many deployment scenarios.

Cross-site Scripting

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a security flaw in the RustFS Console, a web management tool for a distributed file system. The vulnerability could allow an attacker to execute malicious code within the console and potentially access sensitive administrator credentials. The main concern is confirming relevance and exposure.

  • Flaw allows code execution and credential theft.
  • Affects web console, used for managing file systems.
  • Confirm if your RustFS Console is exposed.

Attack Path

How an attacker could exploit the issue

An attacker with limited access to the RustFS Console could upload a malicious HTML file disguised as a PDF. When this file is previewed through the console's PDF viewer, it can execute arbitrary HTML content, leading to stored cross-site scripting attacks. This could allow an attacker to steal sensitive administrator credentials, such as AccessKeyId, SecretAccessKey, and SessionToken.

  • Attacker uploads malicious PDF.
  • Vulnerable PDF preview renders HTML.
  • Sensitive credentials may be exposed.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, uploaded PDF files that contain HTML could be rendered as HTML within the RustFS Console, potentially leading to stored cross-site scripting. This could expose administrator credentials like AccessKeyId, SecretAccessKey, and SessionToken values.

  • Administrator credentials could be exposed.
  • Stored XSS via malicious PDF uploads.
  • Compromise of sensitive access tokens.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this stored cross-site scripting vulnerability in the RustFS Console. The immediate first step is to identify all instances of the affected technology, determine their reachability and business criticality, and locate the accountable owner for each. Subsequently, a risk-based remediation plan, considering vendor coordination and maintenance windows, should be developed.

  • Identify affected RustFS Console instances.
  • Verify reachability and business criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the RustFS Console?

RustFS Console is a web-based management interface designed for the RustFS distributed file system. It provides administrators with a centralized dashboard to interact with their file storage infrastructure, including features for viewing objects and managing system settings.

What does CWE-79 mean for CVE-2026-62378?

This CVE involves CWE-79, or Stored Cross-Site Scripting (XSS). In plain English, the software incorrectly treats malicious HTML content hidden inside a file as safe to display. Because the console stores this file, it can automatically execute that malicious code whenever an administrator views the file, potentially granting an attacker access to the administrator's session and sensitive credentials.

How is this RustFS Console vulnerability triggered?

The flaw is triggered when an attacker uploads a file disguised as a PDF that actually contains malicious HTML code. When the console's preview feature attempts to render this file, the hidden code executes. Simply uploading a file does not trigger the bug; the code only runs if an administrator or user intentionally opens the file using the affected PDF preview path in the console.

Is my RustFS Console at risk?

According to Halo Surface Signal, this console is often deployed as a web application for administrative tasks and is frequently reachable via the internet. If your RustFS Console is accessible from the public internet or an untrusted network, your risk of exposure is higher because the management interface itself is the target.

How do I secure my environment against this CVE?

The primary response is to update the RustFS Console to version 0.1.10 or later, which contains the fix. First, create an inventory of all deployed instances to identify those running vulnerable versions. Once identified, coordinate with your system owners to apply the software update during a scheduled maintenance window.

References