Executive Summary

CVE-2026-45041 is a critical vulnerability in RustFS versions up to 1.0.0-beta.1 where a hard-coded 2048-bit RSA private key named TEST_PRIVATE_KEY is embedded in the source code and used in production to verify license tokens.

This key is used via RSA PKCS#1 v1.5 decryption for license token verification, which is a flawed approach for authentication. Because the private key is publicly accessible in the source and binaries, attackers can forge arbitrary license tokens with any subject or expiration.

When the license feature is enabled, this allows attackers to completely bypass the license enforcement mechanism, effectively defeating the software's licensing controls.

The vulnerability arises from using encryption/decryption for validation instead of a proper signature scheme, and it was fixed in version 1.0.0-beta.2 by replacing the hard-coded key with a proper signature scheme like Ed25519.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in RustFS allows attackers to forge arbitrary license tokens by exploiting a hard-coded RSA private key embedded in the source code. This flaw defeats the license enforcement mechanism, potentially allowing unauthorized access to license-gated features such as S3 access.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass license enforcement and gain unauthorized access could lead to violations of data protection and access control requirements mandated by such regulations.

Specifically, unauthorized access enabled by this vulnerability could result in improper handling or exposure of sensitive data, which may conflict with the principles of confidentiality and integrity required by GDPR, HIPAA, and similar standards.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to forge valid license tokens, bypassing the license enforcement mechanism in RustFS when the license feature is enabled.

As a result, unauthorized users can gain access to license-gated features, including S3 access gates, without proper authorization.

This can lead to unauthorized use of the software, potential loss of revenue, and compromise of any systems relying on license enforcement for security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the RustFS software version in use is 1.0.0-beta.1 or earlier, as these versions contain the hard-coded 2048-bit RSA private key named TEST_PRIVATE_KEY.

Additionally, detection can involve searching the source code or binaries for the presence of the TEST_PRIVATE_KEY string constant.

Suggested commands to detect the vulnerability include:

• For source code: grep -r 'TEST_PRIVATE_KEY' /path/to/rustfs/source
• For binaries: strings /path/to/rustfs/binary | grep 'TEST_PRIVATE_KEY'
• Check the installed RustFS version: rustfs --version or inspect package metadata to confirm if it is <= 1.0.0-beta.1

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-beta.2 or later, where the vulnerability is fixed by removing the hard-coded private key and implementing a proper signature scheme.

If upgrading is not immediately possible, consider disabling the license Cargo feature to avoid enabling the vulnerable license enforcement mechanism.

Additionally, reissue licenses signed with the new key after upgrading to ensure license tokens cannot be forged.

Useful 0 Not Useful 0