CubeFS leaks users key in logs
Description
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An information disclosure vulnerability in CubeFS prior to v3.3.1 leaks users' secret keys and access keys in logs, enabling privilege escalation.
Root
Cause CubeFS, an open-source cloud-native distributed file and object storage system, prior to version 3.3.1 leaks users' secret keys and access keys in the logs across multiple components. The flaw specifically occurs when CubeFS creates new users: the createKey function in the master component logs the access key and secret key via log.LogInfof("action[createUser], userID: %v, accesskey[%v], secretkey[%v]", userID, accessKey, secretKey), as shown in the fix commit [3].
Exploitation
An attacker with lower-privileged access to the system logs—either through direct log file access or via log aggregation services—can retrieve the leaked secret keys and access keys. No additional authentication or network position is required beyond the ability to read logs where these credentials are written [1][4].
Impact
By obtaining a user's secret key, the attacker can impersonate that user, including those with higher privileges. This enables the attacker to perform actions on behalf of the victim, potentially compromising the confidentiality, integrity, and availability of the CubeFS cluster [1][4].
Mitigation
The vulnerability has been patched in CubeFS version 3.3.1. There is no workaround available; upgrading to the patched version is the only mitigation [1][4]. The issue was discovered during a security audit by Ada Logics in collaboration with OSTIF and the CNCF [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cubefs/cubefsGo | < 3.3.1 | 3.3.1 |
Affected products
3- cubefs/cubefsv5Range: < 3.3.1
Patches
18dccce6ac8dffix(master):CubeFS leaks users key in logs
1 file changed · +1 −1
master/user.go+1 −1 modified@@ -106,7 +106,7 @@ func (u *User) createKey(param *proto.UserCreateParam) (userInfo *proto.UserInfo } u.userStore.Store(userID, userInfo) u.AKStore.Store(accessKey, AKUser) - log.LogInfof("action[createUser], userID: %v, accesskey[%v], secretkey[%v]", userID, accessKey, secretKey) + return }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vwch-g97w-hfg2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46742ghsaADVISORY
- github.com/cubefs/cubefs/commit/8dccce6ac8dff3db44d7e9074094c7303a5ff5ddghsax_refsource_MISCWEB
- github.com/cubefs/cubefs/security/advisories/GHSA-vwch-g97w-hfg2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.