Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.
AnalysisAI
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Technical ContextAI
RustFS is a Rust-based distributed object storage system (S3-compatible) whose optional 'license' Cargo feature gates commercial functionality behind signed license tokens. The vulnerability sits in the appauth crate, where parse_license() validates tokens using an RSA-2048 keypair whose private half is embedded as a string constant intended for tests but reused in production builds. This is a textbook CWE-321 (Use of Hard-coded Cryptographic Key) issue - asymmetric signing only provides security when the private key is held by the signer alone, but here every consumer of the source or binary holds both halves, collapsing the trust model to symmetric-key-with-public-secret. The affected CPE is cpe:2.3:a:rustfs:rustfs covering all versions up to 1.0.0-beta.2.
RemediationAI
Vendor-released patch: upgrade to RustFS 1.0.0-beta.2 or later, which removes the hardcoded TEST_PRIVATE_KEY from production code paths; see https://github.com/rustfs/rustfs/security/advisories/GHSA-923g-jp7v-f97f for advisory details. As a compensating control until the upgrade is applied, build RustFS without the license Cargo feature, which removes the parse_license() code path entirely (trade-off: any commercial features gated behind licensing become unavailable), or rotate to an out-of-band license-verification mechanism using a private key held only by the vendor. Operators should also audit any previously issued license tokens, since forged tokens are cryptographically indistinguishable from legitimate ones and cannot be detected retroactively without rekeying.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32996