PT-2026-44469 · Rustfs · Rustfs
Skandragon
·
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-45041
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
RustFS versions prior to 1.0.0-beta.2
Description
The software includes a 2048-bit RSA private key as a string constant named
TEST PRIVATE KEY within the file crates/appauth/src/token.rs. This key is utilized in production by the parse license() function to verify license tokens. Since the key is embedded in all published source releases and binaries, an attacker with access to the repository or binary can extract it to create arbitrary license tokens with any subject or expiration date. This bypasses the license-enforcement mechanism when the license Cargo feature is enabled.Recommendations
Update to version 1.0.0-beta.2.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rustfs