CVE-2026-24762
Unknown Unknown - Not Provided
Credential Exposure via INFO-Level Logging in RustFS (alpha.13–alpha

Publication date: 2026-02-03

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24762
EUVD
EUVD-2026-5218
Affected Vendors & Products
Showing 69 associated CPEs
Vendor Product Version / Range
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24762 is an information disclosure vulnerability in RustFS versions alpha.13 through alpha.81. The vulnerability occurs because RustFS logs sensitive credential materialβ€”such as access keys, secret keys, and session tokensβ€”in plaintext at the INFO log level.

These credentials appear directly in application logs, making them accessible to anyone who can view the logs, including internal users or external parties with access to centralized logging systems.

This exposure can lead to compromise of sensitive credentials and unauthorized access to RustFS services.

Impact Analysis

The vulnerability can lead to several impacts including:

  • Compromise of sensitive credentials such as access keys, secret keys, and session tokens.
  • Unauthorized authentication to RustFS services using stolen credentials.
  • Session hijacking by attackers who gain access to session tokens.
  • Insider threats from users who have access to the logs containing sensitive information.
Compliance Impact

This vulnerability can lead to violations of compliance standards such as PCI-DSS, SOC2, and ISO 27001 because these standards prohibit the exposure of authentication secrets in logs.

Logging sensitive credential material in plaintext can result in non-compliance with data protection and security requirements mandated by these regulations.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the application logs of RustFS versions alpha.13 through alpha.81 for the presence of sensitive credential material such as access keys, secret keys, and session tokens logged in plaintext at the INFO log level.'}, {'type': 'paragraph', 'content': "You can search the logs for keywords like 'access_key', 'secret_key', or 'session_token' to identify if sensitive credentials have been logged."}, {'type': 'list_item', 'content': "Use command-line tools such as grep to scan log files, for example: grep -iE 'access_key|secret_key|session_token' /path/to/rustfs/logs/*"}, {'type': 'list_item', 'content': 'Check centralized logging systems or log aggregators for entries containing these sensitive fields.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version alpha.82 or later, where the issue has been fixed by removing the logging of sensitive credential fields.

Until the upgrade can be performed, restrict access to application logs to only trusted personnel to minimize exposure of sensitive credentials.

Avoid sharing or distributing logs that may contain sensitive credential information.

Review and rotate any credentials that may have been exposed through the logs to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart