Loading
RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.
Cite this page
CVE-2026-22782. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-22782
Use CWE-532, Rustfs vendor hub and Rustfs product page to widen CVE-2026-22782 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2025-68926, CVE-2026-27822 and CVE-2025-68705 for nearby disclosures in the same product family.