VYPR
Low severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026

RustFS RPC signature verification logs shared secret

CVE-2026-22782

Description

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rustfscrates.io
>= 1.0.0-alpha.1, < 1.0.0-alpha.801.0.0-alpha.80

Affected products

2
  • Range: 1.0.0-alpha.1, 1.0.0-alpha.10, 1.0.0-alpha.11, …
  • ghsa-coords
    Range: >= 1.0.0-alpha.1, < 1.0.0-alpha.80

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.