CubeFS leaks magic secret key when starting Blobstore access service
Description
CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. The attacker can either be an internal user with limited privileges to read the log, or they can be an external user who has escalated privileges sufficiently to access the logs. The vulnerability has been patched in v3.3.1. There is no other mitigation than upgrading.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CubeFS prior to v3.3.1 leaks secret configuration keys in plaintext logs, allowing attackers with log access to perform unauthorized blob operations.
Vulnerability
Description CubeFS, an open-source cloud-native distributed storage system, logs sensitive configuration keys in plaintext when starting the Blobstore access service [1][4]. This exposes secret keys that are intended to authenticate and authorize blob operations.
Attack
Vector An attacker can exploit this vulnerability if they have access to the logs. This could be an internal user with limited privileges to read logs, or an external user who has escalated privileges sufficiently to access the logs [1][4]. No additional authentication is required beyond log access.
Impact
With the leaked secret keys, an attacker can perform operations on blobs that they are not authorized to do, such as deleting blobs from the blob store [1][4]. This compromises data integrity and could lead to data loss.
Mitigation
The vulnerability has been patched in CubeFS version 3.3.1 [1][4]. There is no other mitigation; users must upgrade to the patched version to remediate the issue.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cubefs/cubefsGo | < 3.3.1 | 3.3.1 |
Affected products
3- cubefs/cubefsv5Range: < 3.3.1
Patches
1972f0275ee8dfix(security): leaks magic secret key when starting blobstore access service
1 file changed · +0 −2
blobstore/access/server.go+0 −2 modified@@ -78,8 +78,6 @@ func initWithRegionMagic(regionMagic string) { log.Warn("no region magic setting, using default secret keys for checksum") return } - - log.Info("using magic secret keys for checksum with:", regionMagic) b := sha1.Sum([]byte(regionMagic)) initTokenSecret(b[:8]) initLocationSecret(b[:8])
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8h2x-gr2c-c275ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46741ghsaADVISORY
- github.com/cubefs/cubefs/commit/972f0275ee8d5dbba4b1530da7c145c269b31ef5ghsax_refsource_MISCWEB
- github.com/cubefs/cubefs/security/advisories/GHSA-8h2x-gr2c-c275ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.