Exposed HMAC Secrets in RustFS Distributed Object Storage System
CVE-2026-22782

2.9LOW

Key Information:

Vendor

Rustfs

Status
Rustfs
Vendor
CVE Published:
16 January 2026

What is CVE-2026-22782?

RustFS, a distributed object storage system built in Rust, contains a vulnerability where invalid RPC signatures cause the server to log sensitive information, specifically the shared HMAC secret and expected signature. This exposure enables malicious actors to forge RPC calls, leading to potential abuse of the storage system. The issue arises in the logging mechanism for invalid signatures in the RPC layer, which can be activated by any incorrectly signed request. This vulnerability was addressed in version 1.0.0-alpha.80, ensuring the secure handling of RPC signatures.

Affected Version(s)

rustfs >= 1.0.0-alpha.1, < 1.0.0-alpha.80

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef...
x_refsource_MISC
https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d...
x_refsource_MISC

CVSS V4

Score:
2.9
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.