CVE-2026-45039

9.8 CRITICAL

RustFS is a distributed object storage system built in Rust

Published: 2026-05-28 · Last updated: 2026-05-29

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1392, CWE-798

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-47281 — Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)
CVE-2026-11414 — A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service
CVE-2025-71317 — NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access (9.8 CRITICAL)
CVE-2026-21404 — NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation (6.3 MEDIUM)
CVE-2026-50213 — The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predi... (7.5 HIGH)