CVE-2026-45039

Source
https://cve.org/CVERecord?id=CVE-2026-45039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45039
Aliases
  • GHSA-r5qv-rc46-hv8q
Published
2026-05-28T18:39:54.794Z
Modified
2026-07-08T08:13:30.163401226Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation
Details

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, getsharedsecret() in crates/ecstore/src/rpc/httpauth.rs, falls back to the public, source-tree-embedded DEFAULTSECRETKEY = "rustfsadmin" when neither the RUSTFSRPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45039.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1392",
        "CWE-798"
    ]
}
References

Affected packages

Git / github.com/rustfs/rustfs

Affected ranges

Type
GIT
Repo
https://github.com/rustfs/rustfs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.0-beta.2"
        }
    ]
}

Affected versions

1.*
1.0.0-alpha.1
1.0.0-alpha.10
1.0.0-alpha.11
1.0.0-alpha.12
1.0.0-alpha.13
1.0.0-alpha.14
1.0.0-alpha.15
1.0.0-alpha.16
1.0.0-alpha.17
1.0.0-alpha.18
1.0.0-alpha.19
1.0.0-alpha.2
1.0.0-alpha.20
1.0.0-alpha.21
1.0.0-alpha.22
1.0.0-alpha.23
1.0.0-alpha.24
1.0.0-alpha.25
1.0.0-alpha.26
1.0.0-alpha.27
1.0.0-alpha.28
1.0.0-alpha.29
1.0.0-alpha.3
1.0.0-alpha.30
1.0.0-alpha.31
1.0.0-alpha.32
1.0.0-alpha.33
1.0.0-alpha.34
1.0.0-alpha.35
1.0.0-alpha.36
1.0.0-alpha.37
1.0.0-alpha.38
1.0.0-alpha.39
1.0.0-alpha.4
1.0.0-alpha.40
1.0.0-alpha.41
1.0.0-alpha.42
1.0.0-alpha.43
1.0.0-alpha.44
1.0.0-alpha.45
1.0.0-alpha.46
1.0.0-alpha.47
1.0.0-alpha.48
1.0.0-alpha.49
1.0.0-alpha.5
1.0.0-alpha.50
1.0.0-alpha.51
1.0.0-alpha.52
1.0.0-alpha.53
1.0.0-alpha.54
1.0.0-alpha.55
1.0.0-alpha.56
1.0.0-alpha.57
1.0.0-alpha.58
1.0.0-alpha.59
1.0.0-alpha.6
1.0.0-alpha.60
1.0.0-alpha.61
1.0.0-alpha.62
1.0.0-alpha.63
1.0.0-alpha.64
1.0.0-alpha.65
1.0.0-alpha.66
1.0.0-alpha.67
1.0.0-alpha.68
1.0.0-alpha.69
1.0.0-alpha.7
1.0.0-alpha.70
1.0.0-alpha.71
1.0.0-alpha.72
1.0.0-alpha.73
1.0.0-alpha.74
1.0.0-alpha.75
1.0.0-alpha.76
1.0.0-alpha.77
1.0.0-alpha.78
1.0.0-alpha.79
1.0.0-alpha.8
1.0.0-alpha.80
1.0.0-alpha.81
1.0.0-alpha.82
1.0.0-alpha.83
1.0.0-alpha.84
1.0.0-alpha.85
1.0.0-alpha.86
1.0.0-alpha.87
1.0.0-alpha.88
1.0.0-alpha.89
1.0.0-alpha.9
1.0.0-alpha.90
1.0.0-alpha.91
1.0.0-alpha.92
1.0.0-alpha.93
1.0.0-alpha.94
1.0.0-alpha.95
1.0.0-alpha.96
1.0.0-alpha.97
1.0.0-alpha.98
1.0.0-alpha.99
1.0.0-beta.1
v1.*
v1.0.0-beta.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45039.json"