CVE-2026-45041
RustFS is a distributed object storage system built in Rust
Published: 2026-05-28 · Last updated: 2026-05-29
Severity and scoring
- CWE
- CWE-321
Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-11505 — A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x (5.0 MEDIUM)
- CVE-2026-46395 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
- CVE-2026-11347 — The linqi application contains hardcoded cryptographic keys
- CVE-2026-45433 — This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware
- CVE-2026-50226 — Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers (5.3 MEDIUM)