DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22782: RustFS Leak: When Error Logs Become Credentials

#security #cve #cybersecurity

RustFS Leak: When Error Logs Become Credentials

Vulnerability ID: CVE-2026-22782
CVSS Score: 2.9
Published: 2026-01-16

A classic case of 'debug mode left on in production' affects RustFS, a distributed object storage system. By handling authentication failures too verbosely, the system writes the master HMAC secret directly to the server logs. An attacker with log access—common in modern cloud environments—can retrieve this key and forge valid signatures for any administrative action.

TL;DR

RustFS versions prior to 1.0.0-alpha.80 log the shared HMAC secret when an RPC signature verification fails. This allows attackers with read access to logs to steal the key and gain full control over the storage cluster. The fix involves redacting the secret from error messages.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-532 (Insertion of Sensitive Information into Log File)
  • Attack Vector: Network (Trigger) / Local or Network (Log Access)
  • CVSS 4.0: 2.9 (Low)
  • Impact: Full System Compromise (via Credential Theft)
  • Affected Component: crates/ecstore/src/rpc/http_auth.rs
  • Exploit Complexity: Trivial

Affected Systems

  • RustFS Storage Nodes
  • RustFS RPC Interface
  • RustFS: >= 1.0.0-alpha.1, < 1.0.0-alpha.80 (Fixed in: 1.0.0-alpha.80)

Code Analysis

Commit: 6b2eebe

Fix RPC signature logging and sanitize config Debug impl

- error!("verify_rpc_signature: ... secret {}, ...", secret, ...);
+ error!("verify_rpc_signature: ...", ...);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade RustFS immediately to remove the logging flaw.
  • Rotate all shared secrets and API keys used by the cluster.
  • Sanitize existing logs to remove historical leaks.
  • Restrict log access to privileged personnel only.

Remediation Steps:

  1. Pull the latest image or compile from source: rustfs >= 1.0.0-alpha.80.
  2. Generate a new secret_key for your config.toml or environment variables.
  3. Restart all RustFS nodes with the new key.
  4. Search your logging backend (Splunk, ELK, CloudWatch) for the string verify_rpc_signature and purge those entries.

References

Read the full report for CVE-2026-22782 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)