Skip to main content

RustFS EUVDEUVD-2026-32997

| CVE-2026-45040 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-05-28 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Analysis Generated
May 28, 2026 - 19:29 vuln.today
CVSS changed
May 28, 2026 - 19:22 NVD
5.3 (MEDIUM)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.

Technical ContextAI

RustFS is a distributed object storage system written in Rust, conceptually analogous to MinIO or AWS S3-compatible backends. The affected CPE is cpe:2.3:a:rustfs:rustfs:*:*:*:*:*:*:*:*, covering all releases prior to 1.0.0-beta.2. The root cause maps to CWE-312 (Cleartext Storage of Sensitive Information): the application's debug-level logging code paths emit full credential objects - JWT SessionTokens, SecretAccessKeys, and JWT claim structures - without redaction or masking. Rust applications configure log verbosity via the RUST_LOG environment variable; setting it to 'debug' unlocks verbose internal state dumps, including sensitive authentication material that was not properly sanitized before being passed to the logging subsystem. This is a common development oversight where credential-bearing structs implement Debug or Display traits that expose all fields.

RemediationAI

Upgrade to RustFS 1.0.0-beta.2 or later, which contains the vendor-released fix for this vulnerability; the advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-8cm2-h255-v749 confirms this as the patched release. As an immediate compensating control prior to patching, change the RUST_LOG environment variable from 'debug' to 'info' or 'warn' in all RustFS server processes and restart the service - this eliminates the credential leakage path entirely since the exposure only occurs at debug verbosity. Note that downgrading log verbosity may reduce diagnostic visibility during troubleshooting; teams relying on debug logs for observability should implement structured logging with field-level redaction as a longer-term control. Critically, audit any existing log files generated while RUST_LOG=debug was active: rotate all exposed SecretAccessKeys and revoke or reissue any SessionTokens or JWTs that may have been captured. Restrict filesystem permissions on log output directories to 600 or equivalent to limit the blast radius of any future logging incidents.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45043 CRITICAL
9.3 May 29

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

Share

EUVD-2026-32997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy