PT-2026-44467 · Rustfs · Rustfs

Skandragon

·

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-45039

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.2
Description The internode RPC layer authenticates requests using an HMAC-SHA256 signature with a shared secret. The function get shared secret() in crates/ecstore/src/rpc/http auth.rs defaults to a public, source-tree-embedded key DEFAULT SECRET KEY ("rustfsadmin") if the RUSTFS RPC SECRET environment variable and the global S3 secret key are not configured.
Recommendations Update to version 1.0.0-beta.2. Configure the RUSTFS RPC SECRET environment variable or the global S3 secret key to avoid the use of the default secret key.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-1392

Related Identifiers

CVE-2026-45039

Affected Products

Rustfs