Bilisheep

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-alpha.77 **Description** RustFS, a distributed object storage system built in Rust, uses a hardcoded static token, `"rustfs rpc"`, for gRPC authentication in versions prior to 1.0.0-alpha.77. This token is publicly exposed in the source code repository, hardcoded on both the client and server sides, and lacks a mechanism for rotation. An attacker with network access to the gRPC port can use this token to authenticate and perform privileged operations, including data destruction, policy manipulation, and cluster configuration changes. Reports indicate over 250 publicly accessible RustFS instances worldwide. The issue involves a hardcoded credential that allows authentication bypass on internet-exposed instances via the gRPC management port. The vulnerability was introduced on September 27, 2024, published on October 1, 2024, and patched on January 5, 2026, resulting in approximately 15 months of exposure. The **API endpoint** used for authentication is the gRPC service, and the vulnerable parameter is the `authorization` header, which expects the value `"rustfs rpc"`. **Recommendations** Update to version 1.0.0-alpha.77 or later.