Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-45039: RustFS: Shared secret key exposed in insecure scenarios
CVE-2026-45039
Summary
RustFS's internal communication system uses a secret key for authentication. However, in some cases, a default key is used instead of a properly configured one. This could potentially allow unauthorized access to the system. To address this, update to version 1.0.0-beta.2 or later.
Original title
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The func...
Original description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.
nvd CVSS3.1
9.8
Vulnerability type
CWE-798
Use of Hard-coded Credentials
CWE-1392
Published: 28 May 2026 · Updated: 30 May 2026 · First seen: 28 May 2026