← Back

CVE-2026-22782

nvd nist
Published: Jan 16, 2026Modified: Feb 9, 2026

JSON object

Loading...
2.9
Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

Affected (79)

Products: Rustfs: Rustfs
Rustfs
1 product
Rustfs
Configuration A
79 vulnerable
Vulnerable SoftwareAffected Versions
Rustfs
Rustfs
Version 1.0.0 alpha10
Rustfs
Version 1.0.0 alpha11
Rustfs
Version 1.0.0 alpha12
Rustfs
Version 1.0.0 alpha13
Rustfs
Version 1.0.0 alpha14
Rustfs
Version 1.0.0 alpha15
Rustfs
Version 1.0.0 alpha16
Rustfs
Version 1.0.0 alpha17
Rustfs
Version 1.0.0 alpha18
Rustfs
Version 1.0.0 alpha19
Rustfs
Version 1.0.0 alpha1
Rustfs
Version 1.0.0 alpha20
Rustfs
Version 1.0.0 alpha21
Rustfs
Version 1.0.0 alpha22
Rustfs
Version 1.0.0 alpha23
Rustfs
Version 1.0.0 alpha24
Rustfs
Version 1.0.0 alpha25
Rustfs
Version 1.0.0 alpha26
Rustfs
Version 1.0.0 alpha27
Rustfs
Version 1.0.0 alpha28
Rustfs
Version 1.0.0 alpha29
Rustfs
Version 1.0.0 alpha2
Rustfs
Version 1.0.0 alpha30
Rustfs
Version 1.0.0 alpha31
Rustfs
Version 1.0.0 alpha32
Rustfs
Version 1.0.0 alpha33
Rustfs
Version 1.0.0 alpha34
Rustfs
Version 1.0.0 alpha35
Rustfs
Version 1.0.0 alpha36
Rustfs
Version 1.0.0 alpha37
Rustfs
Version 1.0.0 alpha38
Rustfs
Version 1.0.0 alpha39
Rustfs
Version 1.0.0 alpha3
Rustfs
Version 1.0.0 alpha40
Rustfs
Version 1.0.0 alpha41
Rustfs
Version 1.0.0 alpha42
Rustfs
Version 1.0.0 alpha43
Rustfs
Version 1.0.0 alpha44
Rustfs
Version 1.0.0 alpha45
Rustfs
Version 1.0.0 alpha46
Rustfs
Version 1.0.0 alpha47
Rustfs
Version 1.0.0 alpha48
Rustfs
Version 1.0.0 alpha49
Rustfs
Version 1.0.0 alpha4
Rustfs
Version 1.0.0 alpha50
Rustfs
Version 1.0.0 alpha51
Rustfs
Version 1.0.0 alpha52
Rustfs
Version 1.0.0 alpha53
Rustfs
Version 1.0.0 alpha54
Rustfs
Version 1.0.0 alpha55
Rustfs
Version 1.0.0 alpha56
Rustfs
Version 1.0.0 alpha57
Rustfs
Version 1.0.0 alpha58
Rustfs
Version 1.0.0 alpha59
Rustfs
Version 1.0.0 alpha5
Rustfs
Version 1.0.0 alpha60
Rustfs
Version 1.0.0 alpha61
Rustfs
Version 1.0.0 alpha62
Rustfs
Version 1.0.0 alpha63
Rustfs
Version 1.0.0 alpha64
Rustfs
Version 1.0.0 alpha65
Rustfs
Version 1.0.0 alpha66
Rustfs
Version 1.0.0 alpha67
Rustfs
Version 1.0.0 alpha68
Rustfs
Version 1.0.0 alpha69
Rustfs
Version 1.0.0 alpha6
Rustfs
Version 1.0.0 alpha70
Rustfs
Version 1.0.0 alpha71
Rustfs
Version 1.0.0 alpha72
Rustfs
Version 1.0.0 alpha73
Rustfs
Version 1.0.0 alpha74
Rustfs
Version 1.0.0 alpha75
Rustfs
Version 1.0.0 alpha76
Rustfs
Version 1.0.0 alpha77
Rustfs
Version 1.0.0 alpha78
Rustfs
Version 1.0.0 alpha79
Rustfs
Version 1.0.0 alpha7
Rustfs
Version 1.0.0 alpha8
Rustfs
Version 1.0.0 alpha9

Related CWEs

CWE-532
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.