CVE-2026-45040
Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RustFS before 1.0.0-beta.2 leaks credentials (SessionToken, SecretAccessKey) in debug logs, enabling credential theft from log access.
Vulnerability
RustFS versions prior to 1.0.0-beta.2 leak sensitive credentials in debug-level logs. When the server is run with RUST_LOG=debug, two code paths expose plaintext credentials: the AssumeRole handler in rustfs/src/admin/handlers/sts.rs prints the Credentials struct (including session_token) via the Debug trait, and the s3s dependency logs the full HTTP response body (containing SecretAccessKey and SessionToken) at DEBUG level. Affected versions are all releases before 1.0.0-beta.2 [1].
Exploitation
An attacker requires read access to the server's debug logs—no additional authentication or network position is needed beyond that. If the server is configured with RUST_LOG=debug and an attacker can read the logs (e.g., through a log aggregation service, file access, or a separate vulnerability), they can obtain the exposed credentials. No user interaction or race condition is required; the credentials are logged immediately during STS operations such as AssumeRole [1].
Impact
Successful exploitation yields the plaintext SessionToken (a JWT) and SecretAccessKey for the issued credentials. An attacker can use these to authenticate as the assumed role, gaining unauthorized access to the RustFS object storage and all data accessible to that role. This results in complete compromise of the confidentiality and integrity of stored objects, as well as potential privilege escalation [1].
Mitigation
The vulnerability is fixed in RustFS version 1.0.0-beta.2. Users must upgrade to this release or later. The fix introduces Masked wrappers for session_token in the Credentials::Debug implementation and redacts the Body::Once content in the s3s dependency's debug logging. No workaround is provided for earlier versions beyond upgrading [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Sensitive credentials are printed in plaintext via Rust's Debug trait logging in two code paths."
Attack vector
An attacker who can observe server logs (e.g., through log aggregation, file access, or container stdout) can read plaintext credentials. The server must be started with `RUST_LOG=debug` to enable the verbose logging that exposes the secrets [ref_id=1]. No authentication is required to trigger the leakage—any valid STS `AssumeRole` request will cause both the `Credentials` struct and the full XML response to be written to the logs [ref_id=1].
Affected code
Two code locations are at fault. In `rustfs/src/admin/handlers/sts.rs` (line 253), the `Credentials` struct is logged via the `Debug` trait, printing the `session_token` (a full JWT) in plaintext. In `s3s/crates/s3s/src/service.rs` (line 642), the full HTTP response body—an XML document containing `SecretAccessKey` and `SessionToken`—is logged at the DEBUG level [ref_id=1].
What the fix does
Fix 1 modifies the `Debug` implementation of `Credentials` in `crates/credentials/src/credentials.rs` to wrap `session_token` in a `Masked` wrapper, matching how `secret_key` was already handled. Fix 2 patches the `s3s` dependency so that `Body::Once`'s `Debug` implementation prints only the byte length instead of the raw byte content. Together these changes prevent both the struct-level and response-body-level leakage of `SessionToken` and `SecretAccessKey` [ref_id=1].
Preconditions
- configServer must be started with RUST_LOG=debug environment variable set
- inputAttacker must be able to read server logs (e.g., log file access, log aggregation service, container stdout)
Reproduction
1. Start RustFS with debug logging: `RUST_LOG=debug RUSTFS_ACCESS_KEY=minioadmin RUSTFS_SECRET_KEY=minioadmin ./rustfs server --address :9000 /tmp/rustfs_data > ./1.log` [ref_id=1]. 2. Send an STS `AssumeRole` request using the provided Python script (which performs SigV4 signing) [ref_id=1]. 3. Inspect the log output—the `SecretAccessKey` and `SessionToken` appear in plaintext in two log entries: one from `s3s::service` (line 642) showing the full XML response body, and one from `rustfs::admin::handlers::sts` (line 253) showing the `Credentials` struct with the JWT `session_token` [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.