PatchSiren cyber security CVE debrief
CVE-2026-45041 rustfs CVE debrief
A critical cryptographic vulnerability in RustFS distributed object storage allows complete license enforcement bypass. The application embeds a hardcoded 2048-bit RSA private key as a string constant (TEST_PRIVATE_KEY) in crates/appauth/src/token.rs, which is used in production via parse_license() to verify license tokens. Because this key is present in all published source releases and binaries, any party with repository access or binary extraction capability can forge arbitrary license tokens with any subject and expiration date. When the license Cargo feature is enabled, this completely defeats the license-enforcement mechanism. The vulnerability stems from CWE-321: Use of Hard-coded Cryptographic Key. Organizations using RustFS with license enforcement enabled should upgrade to version 1.0.0-beta.2 immediately.
- Vendor
- rustfs
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running RustFS distributed object storage with license enforcement enabled; software supply chain security teams; Rust developers embedding cryptographic verification in applications
Technical summary
RustFS versions prior to 1.0.0-beta.2 contain a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) in crates/appauth/src/token.rs. This key is used by the parse_license() function for production license token verification when the license Cargo feature is enabled. The embedded key allows any party with source or binary access to cryptographically forge valid license tokens, completely bypassing license enforcement. The vulnerability is classified as CWE-321 and carries a CVSS 4.0 score of 8.7 (HIGH severity).
Defensive priority
critical
Recommended defensive actions
- Upgrade RustFS to version 1.0.0-beta.2 or later immediately
- Audit all deployed RustFS instances for unauthorized license tokens
- Review license enforcement logs for anomalies predating the fix
- If immediate upgrade is not possible, consider disabling the license Cargo feature until patching is complete
- Verify integrity of license tokens in use by cross-referencing against expected issuance patterns
- Implement monitoring for unexpected license validation patterns
Evidence notes
CVE published 2026-05-28. Advisory confirms hardcoded RSA private key in TEST_PRIVATE_KEY constant used for production license verification. Fixed in 1.0.0-beta.2.
Official resources
-
CVE-2026-45041 CVE record
CVE.org
-
CVE-2026-45041 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28