CVE-2026-22782
- Source
- https://cve.org/CVERecord?id=CVE-2026-22782
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22782.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-22782
- Aliases
- Published
- 2026-01-16T16:14:15.203Z
- Modified
- 2026-01-18T03:44:24.152067Z
- Severity
-
- 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- RustFS RPC signature verification logs shared secret
- Details
-
RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/httpauth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expectedsignature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.
- Database specific
{ "cwe_ids": [ "CWE-532" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22782.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22782.json
- https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122
- https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560
- https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq
- https://nvd.nist.gov/vuln/detail/CVE-2026-22782
Affected packages
Git / github.com/rustfs/rustfs
Affected versions
1.*
1.0.0-alpha.1
1.0.0-alpha.10
1.0.0-alpha.11
1.0.0-alpha.12
1.0.0-alpha.13
1.0.0-alpha.14
1.0.0-alpha.15
1.0.0-alpha.16
1.0.0-alpha.17
1.0.0-alpha.18
1.0.0-alpha.19
1.0.0-alpha.2
1.0.0-alpha.20
1.0.0-alpha.21
1.0.0-alpha.22
1.0.0-alpha.23
1.0.0-alpha.24
1.0.0-alpha.25
1.0.0-alpha.26
1.0.0-alpha.27
1.0.0-alpha.28
1.0.0-alpha.29
1.0.0-alpha.3
1.0.0-alpha.30
1.0.0-alpha.31
1.0.0-alpha.32
1.0.0-alpha.33
1.0.0-alpha.34
1.0.0-alpha.35
1.0.0-alpha.36
1.0.0-alpha.37
1.0.0-alpha.38
1.0.0-alpha.39
1.0.0-alpha.4
1.0.0-alpha.40
1.0.0-alpha.41
1.0.0-alpha.42
1.0.0-alpha.43
1.0.0-alpha.44
1.0.0-alpha.45
1.0.0-alpha.46
1.0.0-alpha.47
1.0.0-alpha.48
1.0.0-alpha.49
1.0.0-alpha.5
1.0.0-alpha.50
1.0.0-alpha.51
1.0.0-alpha.52
1.0.0-alpha.53
1.0.0-alpha.54
1.0.0-alpha.55
1.0.0-alpha.56
1.0.0-alpha.57
1.0.0-alpha.58
1.0.0-alpha.59
1.0.0-alpha.6
1.0.0-alpha.60
1.0.0-alpha.61
1.0.0-alpha.62
1.0.0-alpha.63
1.0.0-alpha.64
1.0.0-alpha.65
1.0.0-alpha.66
1.0.0-alpha.67
1.0.0-alpha.68
1.0.0-alpha.69
1.0.0-alpha.7
1.0.0-alpha.70
1.0.0-alpha.71
1.0.0-alpha.72
1.0.0-alpha.73
1.0.0-alpha.74
1.0.0-alpha.75
1.0.0-alpha.76
1.0.0-alpha.77
1.0.0-alpha.78
1.0.0-alpha.79
1.0.0-alpha.8
1.0.0-alpha.9