RustFS: When 'Safe' Languages Leak Like a Sieve
Vulnerability ID: CVE-2026-24762
CVSS Score: 6.9
Published: 2026-02-03
RustFS, a high-performance distributed object storage system, inadvertently implemented a feature that turns your log aggregation stack into a password manager. By logging authentication credentials at the INFO level, the system broadcasted Access Keys, Secret Keys, and Session Tokens to anyone with read access to the system logs.
TL;DR
RustFS versions alpha.13 through alpha.81 logged full S3 credentials (access/secret keys) in plaintext at the INFO log level. Attackers with access to logs (Splunk, ELK, local disk) can compromise the entire storage cluster. Patch to alpha.82 immediately and rotate all keys.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-532 (Insertion of Sensitive Info into Log File)
- CVSS v4.0: 6.9 (Medium)
- Attack Vector: Network (Log Access)
- Exploit Complexity: Low
- Data Leaked: Access Keys, Secret Keys, Session Tokens
- Patch Status: Fixed in alpha.82
Affected Systems
- RustFS Distributed Storage
-
RustFS: >= alpha.13, < alpha.82 (Fixed in:
alpha.82)
Mitigation Strategies
- Upgrade to RustFS alpha.82
- Implement log scrubbing/redaction pipelines
- Restrict access to log aggregation tools
Remediation Steps:
- Stop the RustFS service.
- Update the binary to version alpha.82 or later.
- Rotate ALL S3 Access Keys and Secret Keys that were in use.
- Revoke active Session Tokens.
- Search and purge historical logs containing credential patterns.
References
Read the full report for CVE-2026-24762 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)