CVE-2026-22782

Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79

Description RustFS is a distributed object storage system built in Rust. Invalid RPC signatures cause the server to log the shared HMAC secret and the expected signature. This exposes the secret to log readers, potentially enabling forged RPC calls. The issue resides in the crates/ecstore/src/rpc/http auth.rs file, specifically within the invalid signature branch, where sensitive data is logged. Any invalidly signed request triggers this logging, and the function is accessible from RPC and admin request handlers. The logged information includes the secret and expected signature, both derived from the shared HMAC key.

Recommendations Upgrade to RustFS version 1.0.0-alpha.80 or later.