CVE-2026-45039
Authentication Bypass in RustFS via Hardcoded Secret
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | to 1.0.0-beta.2 (inc) |
| rustfs | rustfs | to 1.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
RustFS is a distributed object storage system written in Rust. Before version 1.0.0-beta.2, the system's internode RPC layer authenticated requests using an HMAC-SHA256 signature based on a shared secret. However, the function responsible for generating this shared secret would fall back to a default, publicly known secret key "rustfsadmin" if neither the environment variable RUSTFS_RPC_SECRET nor the global S3 secret key was configured. This fallback to a hardcoded default secret key creates a vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to impersonate peer nodes by exploiting a hard-coded default credential, enabling full cluster takeover including disk manipulation, data replication, and erasure group changes. This bypasses S3 access controls entirely, potentially leading to unauthorized access, data breaches, and data integrity violations.
Such unauthorized access and control over data storage systems can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and access management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the RustFS internode RPC service is running a vulnerable version (up to 1.0.0-beta.1) and if it is using the default hard-coded RPC secret "rustfsadmin" instead of a configured secret.
Since the fallback to the default secret occurs silently without warnings, detection involves verifying the configuration and network activity related to the RPC port.
- Check the RustFS version to confirm if it is 1.0.0-beta.1 or earlier.
- Inspect environment variables and configuration files for the presence of RUSTFS_RPC_SECRET or global S3 secret key settings.
- Monitor network traffic on the RPC port for unauthorized or suspicious HMAC-SHA256 signed requests using the default secret.
Example commands that may help in detection:
- Check RustFS version: `rustfs --version` or check the running process version.
- Check environment variable: `echo $RUSTFS_RPC_SECRET`
- Search configuration files for secret keys: `grep -r 'secret' /etc/rustfs/` or relevant config paths.
- Monitor RPC port (replace <port> with actual RPC port): `sudo tcpdump -i any port <port> -A` to inspect traffic for suspicious authentication attempts.
How can this vulnerability impact me? :
Because the system may use a publicly known default secret key for authentication, an attacker could potentially forge valid authentication signatures for internode RPC requests. This could allow unauthorized access to the distributed storage system, leading to full compromise of confidentiality, integrity, and availability of the data and services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade RustFS to version 1.0.0-beta.2 or later, where the issue is fixed.
Ensure that the RUSTFS_RPC_SECRET environment variable or the global S3 secret key is properly configured to avoid fallback to the default embedded secret.