Authentication Flaw in RustFS Distributed Object Storage System
CVE-2026-45039

9.8CRITICAL

Key Information:

Vendor: Rustfs
Status: Rustfs
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-45039?

RustFS, a distributed object storage system developed in Rust, has an authentication vulnerability in its internode RPC layer. The issue arises when the system falls back to a default shared secret, 'rustfsadmin', if neither the RUSTFS_RPC_SECRET environment variable nor a global S3 secret key is configured. This could potentially allow unauthorized access, compromising the integrity of the stored data. It is recommended to upgrade to version 1.0.0-beta.2 or later to mitigate this risk.

Affected Version(s)

rustfs < 1.0.0-beta.2

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45039 Data

JSON

Rustfs

What is CVE-2026-45039?

Affected Version(s)

References

CVSS V3.1

Timeline