PatchSiren cyber security CVE debrief
CVE-2026-45040 rustfs CVE debrief
CVE-2026-45040 documents a sensitive information disclosure vulnerability in RustFS, a distributed object storage system implemented in Rust. When the server operates with RUST_LOG=debug, authentication credentials including SessionToken (JWT), SecretAccessKey, and complete JWT claims are emitted in plaintext to server logs. The vulnerability stems from improper logging practices that fail to sanitize sensitive authentication material before output. This exposure creates risk of credential compromise for operators with log access and potentially for attackers who gain unauthorized access to log files or log aggregation systems. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and no user interaction, with low confidentiality impact to the vulnerable component. The issue is resolved in version 1.0.0-beta.2.
- Vendor
- rustfs
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
RustFS operators and administrators, security teams managing object storage infrastructure, DevOps engineers responsible for logging pipeline configuration, and compliance officers concerned with credential handling and audit log protection
Technical summary
RustFS versions prior to 1.0.0-beta.2 log sensitive authentication credentials in plaintext when RUST_LOG=debug is enabled. Exposed data includes SessionToken JWT values, SecretAccessKey strings, and complete JWT claim payloads. The vulnerability allows credential exposure to any party with log read access and creates persistent compromise risk if logs are retained or forwarded to external systems. Remediation requires upgrading to 1.0.0-beta.2 and rotating potentially exposed credentials.
Defensive priority
medium
Recommended defensive actions
- Upgrade RustFS installations to version 1.0.0-beta.2 or later to eliminate credential leakage in debug logs
- Audit existing server logs for exposure of SessionToken, SecretAccessKey, or JWT claim values, particularly in environments where RUST_LOG=debug was historically enabled
- Rotate any credentials that may have been captured in logs prior to remediation, including JWT signing keys and access key pairs
- Restrict log file permissions and access controls to prevent unauthorized reading of server logs containing potential credential artifacts
- Review logging configurations across all RustFS deployments to ensure RUST_LOG=debug is not enabled in production environments
- Implement log sanitization or masking controls if custom logging pipelines are used to prevent credential propagation to centralized logging systems
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-8cm2-h255-v749. CWE-312 (Cleartext Storage of Sensitive Information) and CWE-532 (Insertion of Sensitive Information into Log File) identified as applicable weakness classifications. Fix version 1.0.0-beta.2 explicitly stated in advisory.
Official resources
-
CVE-2026-45040 CVE record
CVE.org
-
CVE-2026-45040 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28