CRITICAL🇵🇱 Wersja polska

CVE-2026-45039

CVSS 9.8v3.1pub. 2026-05-28upd. 2026-05-29

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

🤖 AI Analysis
How it works

The get_shared_secret() function in the file crates/ecstore/src/rpc/http_auth.rs generates the HMAC-SHA256 secret used to sign each RPC request between nodes. When neither the RUSTFS_RPC_SECRET environment variable nor the global S3 key are configured, the function falls back to the default value DEFAULT_SECRET_KEY = 'rustfsadmin', which is embedded in the public source code repository. Anyone who knows this key (and it is publicly available) can independently generate correct HMAC signatures and send any RPC requests to cluster nodes.

Impact

An attacker without any authentication can send authenticated requests to the RPC layer of a RustFS cluster, leading to full compromise of confidentiality, integrity, and availability of stored data.

Mitigation & patch

RustFS should be updated to version 1.0.0-beta.2 or later. Regardless of the update, it is recommended to explicitly configure the RUSTFS_RPC_SECRET environment variable with a strong, random secret to avoid relying on the default value.

Who is affected

RustFS in all versions before 1.0.0-beta.2 where the RUSTFS_RPC_SECRET environment variable or global S3 key have not been configured

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References