Description

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

INFO

Published Date :

2026-01-16T16:14:15.203Z

Last Modified :

2026-01-16T16:36:08.520Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22782 vulnerability.

Vendors Products
Rustfs
  • Rustfs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22782.

URL Resource
https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122 cve-icon cve-icon
https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 cve-icon cve-icon
https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability