CVE-2026-24762

Name of the Vulnerable Software and Affected Versions RustFS versions alpha.13 through alpha.81

Description RustFS logs sensitive credential material, including access key, secret key, and session token, to application logs at the INFO level. This results in credentials being recorded in plaintext in log output, potentially accessible to internal or external log consumers, which could lead to compromise of sensitive credentials. The server writes newly generated STS credential information to logs, as demonstrated in log excerpts. An attacker or unauthorized internal user with access to logs could retrieve these credentials and use them to authenticate to RustFS services or perform other unauthorized actions. This issue is classified as an information disclosure issue.

Recommendations RustFS versions alpha.13 through alpha.81: Upgrade to version alpha.82 or later to resolve this issue. Do not include secrets in log output—redact secret key, session token, and similar fields. Log only safe identifiers such as non-sensitive IDs.