Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22782

CVE-2026-22782: RustFS Information Disclosure Vulnerability

CVE-2026-22782 is an information disclosure flaw in RustFS that exposes HMAC secrets through logs when invalid RPC signatures are processed. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-22782 Overview

CVE-2026-22782 is an Information Leakage vulnerability in RustFS, a distributed object storage system built in Rust. When invalid RPC signatures are received, the server logs the shared HMAC secret and expected signature, exposing sensitive authentication material to anyone with log access. This enables attackers to forge RPC calls and potentially compromise the integrity of the distributed storage system.

Critical Impact

Exposure of HMAC shared secrets through debug logging allows attackers with log access to forge authenticated RPC requests, potentially enabling unauthorized administrative operations on the storage cluster.

Affected Products

  • RustFS versions >= 1.0.0-alpha.1 to 1.0.0-alpha.79

Discovery Timeline

  • 2026-01-16 - CVE CVE-2026-22782 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-22782

Vulnerability Analysis

This vulnerability falls under CWE-532 (Insertion of Sensitive Information into Log File). The RustFS distributed object storage system improperly logs sensitive authentication material when processing invalid RPC signature verification requests. Specifically, in the crates/ecstore/src/rpc/http_auth.rs file, the invalid signature error handling branch writes the shared HMAC secret and expected signature values directly to application logs.

The vulnerability is triggered whenever an invalidly signed RPC request reaches the server. Since the logging occurs before the request is rejected, any unauthenticated attacker can intentionally send malformed requests to harvest the HMAC secret from logs. Once obtained, this secret can be used to generate valid signatures for arbitrary RPC and admin requests.

Root Cause

The root cause is improper error handling in the verify_rpc_signature function within http_auth.rs. The developers included sensitive cryptographic material—the shared HMAC secret and computed expected signature—in error log messages for debugging purposes. This practice violates secure logging principles, as log files are often accessible to a broader audience than intended and may be transmitted to centralized logging systems, stored in plaintext, or exposed through other channels.

Attack Vector

This vulnerability is exploitable over the network without authentication. An attacker can exploit this vulnerability through the following steps:

  1. Send any RPC request with an invalid or missing signature to the RustFS server
  2. The server processes the request and fails signature verification
  3. The error logging branch executes, writing the HMAC secret and expected signature to logs
  4. The attacker gains access to logs through various means (insider access, log aggregation systems, misconfigured permissions, or another vulnerability)
  5. Using the extracted HMAC secret, the attacker can generate valid signatures for any RPC or admin request
  6. The attacker can now execute privileged operations on the RustFS cluster
rust
// Vulnerable code in http_auth.rs (before patch)
// The error logging exposed the HMAC secret and expected signature
if signature != expected_signature {
    error!(
        "verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}",
        secret, url, method, timestamp, signature, expected_signature
    );
    return Err(std::io::Error::other("Invalid signature"));
}

Source: GitHub Code Review

Detection Methods for CVE-2026-22782

Indicators of Compromise

  • Log entries containing verify_rpc_signature: Invalid signature: followed by secret values
  • Unexpected or unauthorized RPC requests with valid signatures from unknown sources
  • Sudden increase in failed authentication attempts against RustFS endpoints

Detection Strategies

  • Review application logs for entries containing HMAC secrets or signature values
  • Monitor for unusual admin or RPC operations that may indicate compromised credentials
  • Implement log auditing to detect if sensitive log files have been accessed by unauthorized users

Monitoring Recommendations

  • Enable audit logging for all access to RustFS log files and directories
  • Deploy SIEM rules to alert on log entries containing potential secret patterns
  • Monitor network traffic for RPC requests originating from unexpected IP addresses

How to Mitigate CVE-2026-22782

Immediate Actions Required

  • Upgrade RustFS to version 1.0.0-alpha.80 or later immediately
  • Rotate all HMAC shared secrets used by the RustFS cluster
  • Audit existing logs for exposed secrets and purge or secure affected log files
  • Review log access permissions and restrict to essential personnel only

Patch Information

The vulnerability is fixed in RustFS version 1.0.0-alpha.80. The patch modifies the logging behavior to only display obfuscated signature information (first and last character plus length) rather than the full secret and signature values. This allows debugging while preventing secret exposure.

rust
// Patched code - secrets are no longer logged
if signature != expected_signature {
    error!(
        "verify_rpc_signature: Invalid signature: url {}, method {}, timestamp {}, signature {}, expected_signature: {}***{}|{}",
        url,
        method,
        timestamp,
        signature,
        expected_signature.chars().next().unwrap_or('*'),
        expected_signature.chars().last().unwrap_or('*'),
        expected_signature.len()
    );
    return Err(std::io::Error::other("Invalid signature"));
}

Source: GitHub Commit Changes

Workarounds

  • If immediate patching is not possible, configure log rotation to minimize exposure window and restrict log access
  • Implement network segmentation to limit access to RustFS RPC endpoints
  • Deploy a reverse proxy or WAF to filter and rate-limit requests to RPC endpoints
  • Redirect application logs to a secure, access-controlled logging system with encryption at rest
bash
# Configuration example - Restrict log file permissions
chmod 600 /var/log/rustfs/*.log
chown rustfs:rustfs /var/log/rustfs/*.log

# Rotate logs frequently to minimize exposure window
logrotate -f /etc/logrotate.d/rustfs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.