CVE-2026-22782

Q: What is the severity of CVE-2026-22782?

CVE-2026-22782 has a CVSS score of 7.5 (HIGH). RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 log the shared HMAC secret when invalid RPC signatures are received. This exposes the secret to anyone with log access, enabling attackers to forge authenticated RPC calls. Systems using vulnerable RustFS versions with logging enabled are affected.

7.5 HIGH

Authentication Bypass

📋 TL;DR

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 log the shared HMAC secret when invalid RPC signatures are received. This exposes the secret to anyone with log access, enabling attackers to forge authenticated RPC calls. Systems using vulnerable RustFS versions with logging enabled are affected.

💻 Affected Systems

Products:

RustFS

Versions: >= 1.0.0-alpha.1 to 1.0.0-alpha.79

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations with logging enabled are vulnerable. The vulnerability is triggered by any invalidly signed RPC request.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain the HMAC secret, forge authenticated RPC calls, and gain full administrative control over the RustFS storage system, potentially accessing, modifying, or deleting all stored data.

🟠

Likely Case

Attackers with log access extract the HMAC secret and forge RPC calls to manipulate stored objects, potentially leading to data integrity and confidentiality breaches.

🟢

If Mitigated

With proper log access controls and monitoring, the exposure is limited to authorized personnel, but the secret remains vulnerable if logs are compromised.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending an invalidly signed RPC request and accessing logs containing the secret. No authentication is needed to trigger the logging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0-alpha.80

Vendor Advisory: https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq

Restart Required: Yes

Instructions:

1. Update RustFS to version 1.0.0-alpha.80 or later. 2. Restart the RustFS service. 3. Verify the fix by checking the version and ensuring logs no longer contain HMAC secrets.

🔧 Temporary Workarounds

Disable Debug Logging

all

Disable or restrict debug-level logging to prevent the secret from being written to logs.

Configure RustFS logging to exclude debug levels or disable logging entirely in the configuration file.

Restrict Log Access

linux

Apply strict access controls to log files to prevent unauthorized reading.

chmod 600 /var/log/rustfs/*
setfacl -m u:rustfs:r /var/log/rustfs/*

🧯 If You Can't Patch

Implement strict access controls on log files and directories to limit exposure.
Monitor logs for patterns of invalid RPC signatures and investigate any occurrences.

🔍 How to Verify

Check if Vulnerable:

Check the RustFS version. If it's between 1.0.0-alpha.1 and 1.0.0-alpha.79, it is vulnerable. Review logs for entries containing 'secret' or 'expected_signature' from invalid RPC requests.

Check Version:

rustfs --version

Verify Fix Applied:

After updating to 1.0.0-alpha.80 or later, send an invalid RPC request and verify that logs no longer contain the HMAC secret or expected signature.

📡 Detection & Monitoring

Log Indicators:

Log entries containing 'secret' or 'expected_signature' from invalid RPC requests in RustFS logs.

Network Indicators:

Unusual RPC request patterns or spikes in invalid signature errors.

SIEM Query:

source="rustfs.log" AND ("secret" OR "expected_signature")

📊 Metadata

CVE ID: CVE-2026-22782

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: January 16, 2026

Last Updated: February 9, 2026

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs

Rustfs by Rustfs