CVE-2025-68926

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.77

Description RustFS, a distributed object storage system built in Rust, uses a hardcoded static token, "rustfs rpc", for gRPC authentication in versions prior to 1.0.0-alpha.77. This token is publicly exposed in the source code repository, hardcoded on both the client and server sides, and lacks a mechanism for rotation. An attacker with network access to the gRPC port can use this token to authenticate and perform privileged operations, including data destruction, policy manipulation, and cluster configuration changes. Reports indicate over 250 publicly accessible RustFS instances worldwide. The issue involves a hardcoded credential that allows authentication bypass on internet-exposed instances via the gRPC management port. The vulnerability was introduced on September 27, 2024, published on October 1, 2024, and patched on January 5, 2026, resulting in approximately 15 months of exposure. The API endpoint used for authentication is the gRPC service, and the vulnerable parameter is the authorization header, which expects the value "rustfs rpc".

Recommendations Update to version 1.0.0-alpha.77 or later.