Which versions of RustFS are affected by CVE-2026-45041?

RustFS distributed object storage versions prior to 1.0.0-beta.2 expose a security key in their public source code that completely disables license enforcement.. A patch is available.

RustFS CVE-2026-45041

Q: What is the CVSS score of CVE-2026-45041?

CVE-2026-45041 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-32996 HIGH

Use of Hard-coded Cryptographic Key (CWE-321)

2026-05-28 GitHub_M

Information Disclosure Rustfs

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 28, 2026 - 20:02 EUVD

Analysis Generated

May 28, 2026 - 19:28 vuln.today

CVSS changed

May 28, 2026 - 19:22 NVD

8.7 (HIGH)

DescriptionNVD

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. …

RemediationAI

24 hours: Identify all RustFS deployments running versions prior to 1.0.0-beta.2 and assess which production systems depend on license enforcement for access control. 7 days: Deploy network isolation and application-level access controls to compensate for the disabled license verification; contact RustFS vendor for patch availability timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45041 vulnerability details – vuln.today

Back

RustFS CVE-2026-45041

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

RustFS CVE-2026-45041

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code