CVE-2025-68926
Unknown Unknown - Not Provided
Hardcoded Token Authentication Bypass in RustFS Enables Data Destruction

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rustfs rustfs *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in RustFS versions prior to 1.0.0-alpha.77, where the system uses a hardcoded static gRPC authentication token "rustfs rpc" that is publicly exposed in the source code. This token is hardcoded on both client and server sides, cannot be configured or rotated, and is valid across all RustFS deployments. An attacker with network access to the gRPC port can use this token to authenticate and perform privileged operations.

Impact Analysis

An attacker exploiting this vulnerability can authenticate to the RustFS system remotely and execute privileged operations such as data destruction, policy manipulation, and changes to cluster configuration. This can lead to severe data loss, unauthorized access, and disruption of services.

Mitigation Strategies

Upgrade RustFS to version 1.0.0-alpha.77 or later, which contains a fix for the hardcoded static token vulnerability. Until the upgrade is applied, restrict network access to the gRPC port to trusted hosts only to prevent unauthorized authentication using the publicly known token.

Compliance Impact

This vulnerability violates PCI-DSS requirements for strong authentication and multi-factor authentication, and OWASP Top 10 A07:2021 (Identification and Authentication Failures). It also involves multiple CWE entries including CWE-798 (Hard-coded Credentials) and CWE-287 (Improper Authentication). There are potential GDPR and CCPA data breach notification requirements due to the risk of data exposure, which could lead to significant legal, financial, and reputational consequences. [1]

Detection Guidance

This vulnerability can be detected by attempting to authenticate to the RustFS gRPC service using the known hardcoded token "rustfs rpc" on the default gRPC port 9000/TCP. A simple command using grpcurl can be used to test this: grpcurl -plaintext -H 'authorization: rustfs rpc' <target-ip>:9000 list. If the command succeeds and returns the list of gRPC services or methods, the system is vulnerable. This confirms that the hardcoded token is accepted and authentication is bypassed. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68926. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart