CVE-2026-45039

Published: Mag 28, 2026 Last Modified: Mag 28, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = 'rustfsadmin' when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

798

Use of Hard-coded Credentials

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality Availability Other
Potential Impacts:
Bypass Protection Mechanism Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Other
Applicable Platforms
Technologies: Mobile, ICS/OT
Likelihood of Exploit: High
View CWE Details
1392

Use of Default Credentials

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Authentication
Potential Impacts:
Gain Privileges Or Assume Identity
Applicable Platforms
Technologies: ICS/OT, Not Technology-Specific
View CWE Details
https://github.com/rustfs/rustfs/security/advisories/GHSA-r…
https://github.com/rustfs/rustfs/security/advisories/GHSA-r5qv-rc46-hv8q