CVE-2026-22782 Overview
CVE-2026-22782 is an Information Leakage vulnerability in RustFS, a distributed object storage system built in Rust. When invalid RPC signatures are received, the server logs the shared HMAC secret and expected signature, exposing sensitive authentication material to anyone with log access. This enables attackers to forge RPC calls and potentially compromise the integrity of the distributed storage system.
Critical Impact
Exposure of HMAC shared secrets through debug logging allows attackers with log access to forge authenticated RPC requests, potentially enabling unauthorized administrative operations on the storage cluster.
Affected Products
- RustFS versions >= 1.0.0-alpha.1 to 1.0.0-alpha.79
Discovery Timeline
- 2026-01-16 - CVE CVE-2026-22782 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-22782
Vulnerability Analysis
This vulnerability falls under CWE-532 (Insertion of Sensitive Information into Log File). The RustFS distributed object storage system improperly logs sensitive authentication material when processing invalid RPC signature verification requests. Specifically, in the crates/ecstore/src/rpc/http_auth.rs file, the invalid signature error handling branch writes the shared HMAC secret and expected signature values directly to application logs.
The vulnerability is triggered whenever an invalidly signed RPC request reaches the server. Since the logging occurs before the request is rejected, any unauthenticated attacker can intentionally send malformed requests to harvest the HMAC secret from logs. Once obtained, this secret can be used to generate valid signatures for arbitrary RPC and admin requests.
Root Cause
The root cause is improper error handling in the verify_rpc_signature function within http_auth.rs. The developers included sensitive cryptographic material—the shared HMAC secret and computed expected signature—in error log messages for debugging purposes. This practice violates secure logging principles, as log files are often accessible to a broader audience than intended and may be transmitted to centralized logging systems, stored in plaintext, or exposed through other channels.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can exploit this vulnerability through the following steps:
- Send any RPC request with an invalid or missing signature to the RustFS server
- The server processes the request and fails signature verification
- The error logging branch executes, writing the HMAC secret and expected signature to logs
- The attacker gains access to logs through various means (insider access, log aggregation systems, misconfigured permissions, or another vulnerability)
- Using the extracted HMAC secret, the attacker can generate valid signatures for any RPC or admin request
- The attacker can now execute privileged operations on the RustFS cluster
// Vulnerable code in http_auth.rs (before patch)
// The error logging exposed the HMAC secret and expected signature
if signature != expected_signature {
error!(
"verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}",
secret, url, method, timestamp, signature, expected_signature
);
return Err(std::io::Error::other("Invalid signature"));
}
Source: GitHub Code Review
Detection Methods for CVE-2026-22782
Indicators of Compromise
- Log entries containing verify_rpc_signature: Invalid signature: followed by secret values
- Unexpected or unauthorized RPC requests with valid signatures from unknown sources
- Sudden increase in failed authentication attempts against RustFS endpoints
Detection Strategies
- Review application logs for entries containing HMAC secrets or signature values
- Monitor for unusual admin or RPC operations that may indicate compromised credentials
- Implement log auditing to detect if sensitive log files have been accessed by unauthorized users
Monitoring Recommendations
- Enable audit logging for all access to RustFS log files and directories
- Deploy SIEM rules to alert on log entries containing potential secret patterns
- Monitor network traffic for RPC requests originating from unexpected IP addresses
How to Mitigate CVE-2026-22782
Immediate Actions Required
- Upgrade RustFS to version 1.0.0-alpha.80 or later immediately
- Rotate all HMAC shared secrets used by the RustFS cluster
- Audit existing logs for exposed secrets and purge or secure affected log files
- Review log access permissions and restrict to essential personnel only
Patch Information
The vulnerability is fixed in RustFS version 1.0.0-alpha.80. The patch modifies the logging behavior to only display obfuscated signature information (first and last character plus length) rather than the full secret and signature values. This allows debugging while preventing secret exposure.
// Patched code - secrets are no longer logged
if signature != expected_signature {
error!(
"verify_rpc_signature: Invalid signature: url {}, method {}, timestamp {}, signature {}, expected_signature: {}***{}|{}",
url,
method,
timestamp,
signature,
expected_signature.chars().next().unwrap_or('*'),
expected_signature.chars().last().unwrap_or('*'),
expected_signature.len()
);
return Err(std::io::Error::other("Invalid signature"));
}
Source: GitHub Commit Changes
Workarounds
- If immediate patching is not possible, configure log rotation to minimize exposure window and restrict log access
- Implement network segmentation to limit access to RustFS RPC endpoints
- Deploy a reverse proxy or WAF to filter and rate-limit requests to RPC endpoints
- Redirect application logs to a secure, access-controlled logging system with encryption at rest
# Configuration example - Restrict log file permissions
chmod 600 /var/log/rustfs/*.log
chown rustfs:rustfs /var/log/rustfs/*.log
# Rotate logs frequently to minimize exposure window
logrotate -f /etc/logrotate.d/rustfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
