CVE-2026-24762
Credential Exposure via INFO-Level Logging in RustFS (alpha.13βalpha
Publication date: 2026-02-03
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
| rustfs | rustfs | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24762 is an information disclosure vulnerability in RustFS versions alpha.13 through alpha.81. The vulnerability occurs because RustFS logs sensitive credential materialβsuch as access keys, secret keys, and session tokensβin plaintext at the INFO log level.
These credentials appear directly in application logs, making them accessible to anyone who can view the logs, including internal users or external parties with access to centralized logging systems.
This exposure can lead to compromise of sensitive credentials and unauthorized access to RustFS services.
How can this vulnerability impact me? :
The vulnerability can lead to several impacts including:
- Compromise of sensitive credentials such as access keys, secret keys, and session tokens.
- Unauthorized authentication to RustFS services using stolen credentials.
- Session hijacking by attackers who gain access to session tokens.
- Insider threats from users who have access to the logs containing sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to violations of compliance standards such as PCI-DSS, SOC2, and ISO 27001 because these standards prohibit the exposure of authentication secrets in logs.
Logging sensitive credential material in plaintext can result in non-compliance with data protection and security requirements mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the application logs of RustFS versions alpha.13 through alpha.81 for the presence of sensitive credential material such as access keys, secret keys, and session tokens logged in plaintext at the INFO log level.'}, {'type': 'paragraph', 'content': "You can search the logs for keywords like 'access_key', 'secret_key', or 'session_token' to identify if sensitive credentials have been logged."}, {'type': 'list_item', 'content': "Use command-line tools such as grep to scan log files, for example: grep -iE 'access_key|secret_key|session_token' /path/to/rustfs/logs/*"}, {'type': 'list_item', 'content': 'Check centralized logging systems or log aggregators for entries containing these sensitive fields.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade RustFS to version alpha.82 or later, where the issue has been fixed by removing the logging of sensitive credential fields.
Until the upgrade can be performed, restrict access to application logs to only trusted personnel to minimize exposure of sensitive credentials.
Avoid sharing or distributing logs that may contain sensitive credential information.
Review and rotate any credentials that may have been exposed through the logs to prevent unauthorized access.