Executive Summary

CVE-2026-45040 is a vulnerability in RustFS versions 1.0.0-beta.1 and earlier that causes sensitive information leakage through debug logs.

When the RustFS server is run with the environment variable RUST_LOG=debug, sensitive credentials such as SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext within the server logs.

The leakage occurs in two main places: first, the Credentials struct is printed using the Debug trait, exposing the session_token in plaintext despite partial masking of the secret_key; second, the s3s dependency logs the full HTTP response at DEBUG level, which includes the SecretAccessKey and SessionToken in the XML response body.

This vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information) and CWE-532 (Insertion of Sensitive Information into Log File) and has a low severity rating.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive credentials such as SessionToken (JWT), SecretAccessKey, and full JWT claims in plaintext logs.

If an attacker gains access to these logs, they could potentially use the leaked credentials to impersonate users, access protected resources, or escalate privileges within the system.

Because the sensitive information is stored in logs without encryption or masking, it increases the risk of unauthorized access and data breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by examining the server logs for sensitive information leakage when the RustFS server is run with the environment variable RUST_LOG=debug.

Specifically, look for plaintext exposure of sensitive credentials such as SessionToken (JWT), SecretAccessKey, and full JWT claims in the logs.

Commands to help detect this include searching the log files for keywords related to these credentials. For example:

• grep -i 'SessionToken' /path/to/rustfs/logfile.log
• grep -i 'SecretAccessKey' /path/to/rustfs/logfile.log
• grep -i 'JWT' /path/to/rustfs/logfile.log

Additionally, check if the server is running with RUST_LOG=debug set, as this enables the verbose logging that causes the leakage.

• echo $RUST_LOG

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, avoid running the RustFS server with the environment variable RUST_LOG set to debug.

Since the sensitive information leakage occurs only when debug logging is enabled, setting RUST_LOG to a less verbose level (e.g., info or error) will prevent sensitive credentials from being logged.

Additionally, upgrade RustFS to version 1.0.0-beta.2 or later once it becomes available, as this version contains the fix for the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes sensitive credentials such as SessionToken (JWT), SecretAccessKey, and full JWT claims to be logged in plaintext when debug logging is enabled. Such exposure of sensitive information in logs can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized disclosure.

Specifically, the leakage of sensitive authentication tokens and keys in logs increases the risk of data breaches and unauthorized access, which can violate requirements for confidentiality and data security mandated by these regulations.

Useful 0 Not Useful 0