Skip to main content

RustFS EUVD-2026-32996

| CVE-2026-45041 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-05-28 GitHub_M
Information Disclosure Rustfs
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Analysis Generated
May 28, 2026 - 19:28 vuln.today
CVSS changed
May 28, 2026 - 19:22 NVD
8.7 (HIGH)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Clone RustFS public repo
Delivery
Extract TEST_PRIVATE_KEY from token.rs
Exploit
Forge RSA-signed license token
Execution
Submit token to licensed RustFS instance
Impact
Bypass license enforcement
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target RustFS binary to be built with the `license` Cargo feature enabled - without that feature flag, the parse_license() code path is not compiled in and the hardcoded key is unreachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N rates this 8.7 with high integrity impact (VI:H) and no confidentiality or availability impact, which fits a license-forgery scenario rather than data theft or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker clones the public RustFS repository, extracts the TEST_PRIVATE_KEY constant from crates/appauth/src/token.rs, and uses any standard JWT/RSA tooling to sign a license token with an arbitrary subject (e.g., 'enterprise-customer') and a far-future expiration. They then present this token to a RustFS instance built with the `license` feature, which validates it successfully against the embedded public key and unlocks gated functionality without ever paying or obtaining a legitimate license.
Remediation Vendor-released patch: upgrade to RustFS 1.0.0-beta.2 or later, which removes the hardcoded TEST_PRIVATE_KEY from production code paths; see https://github.com/rustfs/rustfs/security/advisories/GHSA-923g-jp7v-f97f for advisory details. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all RustFS deployments running versions prior to 1.0.0-beta.2 and assess which production systems depend on license enforcement for access control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-32996 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy