Moderate severityNVD Advisory· Published Feb 3, 2026· Updated Feb 3, 2026

RustFS Logs Sensitive Credentials in Plaintext

CVE-2026-24762

Description

RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rustfscrates.io	>= 1.0.0-alpha.13, < 1.0.0-alpha.82	1.0.0-alpha.82

Affected products

Rustfs/Rustfsv5
Range: >= alpha.13, < alpha.82

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r54g-49rx-98crghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-24762ghsaADVISORY
github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98crghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000