Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2.
AnalysisAI
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
Technical ContextAI
RustFS is a distributed object storage system written in Rust, conceptually analogous to MinIO or AWS S3-compatible backends. The affected CPE is cpe:2.3:a:rustfs:rustfs:*:*:*:*:*:*:*:*, covering all releases prior to 1.0.0-beta.2. The root cause maps to CWE-312 (Cleartext Storage of Sensitive Information): the application's debug-level logging code paths emit full credential objects - JWT SessionTokens, SecretAccessKeys, and JWT claim structures - without redaction or masking. Rust applications configure log verbosity via the RUST_LOG environment variable; setting it to 'debug' unlocks verbose internal state dumps, including sensitive authentication material that was not properly sanitized before being passed to the logging subsystem. This is a common development oversight where credential-bearing structs implement Debug or Display traits that expose all fields.
RemediationAI
Upgrade to RustFS 1.0.0-beta.2 or later, which contains the vendor-released fix for this vulnerability; the advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-8cm2-h255-v749 confirms this as the patched release. As an immediate compensating control prior to patching, change the RUST_LOG environment variable from 'debug' to 'info' or 'warn' in all RustFS server processes and restart the service - this eliminates the credential leakage path entirely since the exposure only occurs at debug verbosity. Note that downgrading log verbosity may reduce diagnostic visibility during troubleshooting; teams relying on debug logs for observability should implement structured logging with field-level redaction as a longer-term control. Critically, audit any existing log files generated while RUST_LOG=debug was active: rotate all exposed SecretAccessKeys and revoke or reissue any SessionTokens or JWTs that may have been captured. Restrict filesystem permissions on log output directories to 600 or equivalent to limit the blast radius of any future logging incidents.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32997