How is CVE-2026-45039 exploited?

Network reachability (required): The attacker must be able to reach the RustFS internode RPC service over the network; any host with TCP access to the service port can attempt the attack. Authentication (not-required): No credentials are needed because the attacker can independently compute a valid HMAC-SHA256 signature using the publicly known default secret "rustfsadmin". Victim interaction (not-required): The attack is fully remote and programmatic; no user action or social engineering is required. Attack complexity (info): Exploit complexity is low: the attacker only needs to know the hardcoded default secret, which is embedded in the public source tree, and no race conditions or special environmental factors are required.

What is the impact of CVE-2026-45039?

An attacker impersonating a legitimate cluster peer can read any object stored across the RustFS cluster, exposing all stored data including credentials, backups, and application artifacts. An attacker can write or overwrite arbitrary objects within the cluster, corrupting or replacing stored data. An attacker can send malformed or destructive RPC calls to crash or destabilize cluster nodes, taking the storage service offline. All three impacts (confidentiality, integrity, availability) are reachable in a single session once the attacker begins issuing signed RPC requests with the known default secret.

Back to search

CRITICALCVE-2026-45039Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-45039: RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass in RustFS, a distributed object storage system. The internode RPC layer uses a hardcoded default HMAC secret ("rustfsadmin") when no custom secret is configured, allowing any network-reachable attacker to forge valid HMAC-SHA256 signatures without credentials. Successful exploitation lets an attacker impersonate cluster peers and perform full reads, writes, and disruption of stored object data. No fix version has been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45039 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built RustFS images, in registries and CI/CD pipelines.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine priority routing. Findings are surfaced to the appropriate team inbox within each customer org based on configured severity thresholds and ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as upstream ships a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the RustFS internode RPC service over the network; any host with TCP access to the service port can attempt the attack.
AuthenticationNot required
No credentials are needed because the attacker can independently compute a valid HMAC-SHA256 signature using the publicly known default secret "rustfsadmin".
Victim interactionNot required
The attack is fully remote and programmatic; no user action or social engineering is required.
Attack complexityDetail
Exploit complexity is low: the attacker only needs to know the hardcoded default secret, which is embedded in the public source tree, and no race conditions or special environmental factors are required.

Blast Radius

An attacker impersonating a legitimate cluster peer can read any object stored across the RustFS cluster, exposing all stored data including credentials, backups, and application artifacts.
An attacker can write or overwrite arbitrary objects within the cluster, corrupting or replacing stored data.
An attacker can send malformed or destructive RPC calls to crash or destabilize cluster nodes, taking the storage service offline.
All three impacts (confidentiality, integrity, availability) are reachable in a single session once the attacker begins issuing signed RPC requests with the known default secret.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-45039 is active against any image containing an affected version of RustFS (prior to 1.0.0-beta.2). Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is published upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. In the interim, compensating controls include setting the RUSTFS_RPC_SECRET environment variable to a strong, unique secret in all deployment manifests, applying network policy to restrict RPC port access to known cluster-internal addresses only, and auditing existing deployments for the presence of the default secret in environment configuration.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

rustfs / rustfs
< 1.0.0-beta.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-r5qv-rc46-hv8q