CVE-2026-45041

Source
https://cve.org/CVERecord?id=CVE-2026-45041
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45041.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45041
Aliases
  • GHSA-923g-jp7v-f97f
Published
2026-05-28T18:34:06.275Z
Modified
2026-07-08T08:13:30.459974146Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery
Details

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-321"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45041.json"
}
References

Affected packages

Git / github.com/rustfs/rustfs

Affected ranges

Type
GIT
Repo
https://github.com/rustfs/rustfs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.0-beta.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*
1.0.0-alpha.1
1.0.0-alpha.10
1.0.0-alpha.11
1.0.0-alpha.12
1.0.0-alpha.13
1.0.0-alpha.14
1.0.0-alpha.15
1.0.0-alpha.16
1.0.0-alpha.17
1.0.0-alpha.18
1.0.0-alpha.19
1.0.0-alpha.2
1.0.0-alpha.20
1.0.0-alpha.21
1.0.0-alpha.22
1.0.0-alpha.23
1.0.0-alpha.24
1.0.0-alpha.25
1.0.0-alpha.26
1.0.0-alpha.27
1.0.0-alpha.28
1.0.0-alpha.29
1.0.0-alpha.3
1.0.0-alpha.30
1.0.0-alpha.31
1.0.0-alpha.32
1.0.0-alpha.33
1.0.0-alpha.34
1.0.0-alpha.35
1.0.0-alpha.36
1.0.0-alpha.37
1.0.0-alpha.38
1.0.0-alpha.39
1.0.0-alpha.4
1.0.0-alpha.40
1.0.0-alpha.41
1.0.0-alpha.42
1.0.0-alpha.43
1.0.0-alpha.44
1.0.0-alpha.45
1.0.0-alpha.46
1.0.0-alpha.47
1.0.0-alpha.48
1.0.0-alpha.49
1.0.0-alpha.5
1.0.0-alpha.50
1.0.0-alpha.51
1.0.0-alpha.52
1.0.0-alpha.53
1.0.0-alpha.54
1.0.0-alpha.55
1.0.0-alpha.56
1.0.0-alpha.57
1.0.0-alpha.58
1.0.0-alpha.59
1.0.0-alpha.6
1.0.0-alpha.60
1.0.0-alpha.61
1.0.0-alpha.62
1.0.0-alpha.63
1.0.0-alpha.64
1.0.0-alpha.65
1.0.0-alpha.66
1.0.0-alpha.67
1.0.0-alpha.68
1.0.0-alpha.69
1.0.0-alpha.7
1.0.0-alpha.70
1.0.0-alpha.71
1.0.0-alpha.72
1.0.0-alpha.73
1.0.0-alpha.74
1.0.0-alpha.75
1.0.0-alpha.76
1.0.0-alpha.77
1.0.0-alpha.78
1.0.0-alpha.79
1.0.0-alpha.8
1.0.0-alpha.80
1.0.0-alpha.81
1.0.0-alpha.82
1.0.0-alpha.83
1.0.0-alpha.84
1.0.0-alpha.85
1.0.0-alpha.86
1.0.0-alpha.87
1.0.0-alpha.88
1.0.0-alpha.89
1.0.0-alpha.9
1.0.0-alpha.90
1.0.0-alpha.91
1.0.0-alpha.92
1.0.0-alpha.93
1.0.0-alpha.94
1.0.0-alpha.95
1.0.0-alpha.96
1.0.0-alpha.97
1.0.0-alpha.98
1.0.0-alpha.99
1.0.0-beta.1
v1.*
v1.0.0-beta.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45041.json"