How is CVE-2026-45041 exploited?

Network reachability (required): The attacker must be able to reach the RustFS service over the network; the embedded key is also readable from the public source repository without any special access. Authentication (not-required): No credentials are needed; the private key is publicly accessible in the open-source repository and in released binaries, so any party can retrieve it without authenticating. Victim interaction (not-required): The attacker forges license tokens independently and does not need any action from a user or operator of the affected system. Attack complexity (info): Exploitation is reliable and condition-free; extracting the key requires only reading source code or running a string-extraction tool against a released binary.

What is the impact of CVE-2026-45041?

Attacker generates license tokens for any subject and any expiration date, granting themselves or others full access under forged licensing terms. The entire license-enforcement mechanism is rendered ineffective whenever the license Cargo feature is enabled, removing any access or entitlement controls it enforces. Operators lose the ability to audit or revoke license grants, because tokens signed with the publicly known key are indistinguishable from legitimately issued ones.

Back to search

HIGHCVE-2026-45041Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-45041: RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A hard-coded RSA private key vulnerability exists in RustFS, a distributed object storage system written in Rust. The private key is embedded directly in source code and compiled binaries, reachable by any unauthenticated party over the network who can read the public repository or extract the key from a released binary. Successful exploitation lets an attacker mint arbitrary license tokens with any subject or expiration, completely bypassing the license-enforcement mechanism. A fix was published in version 1.0.0-beta.2, and a patched-image rebuild at that version is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle RustFS. Any image carrying a RustFS binary older than 1.0.0-beta.2 with the license Cargo feature enabled is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 8.7 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at RustFS 1.0.0-beta.2 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the RustFS service over the network; the embedded key is also readable from the public source repository without any special access.
AuthenticationNot required
No credentials are needed; the private key is publicly accessible in the open-source repository and in released binaries, so any party can retrieve it without authenticating.
Victim interactionNot required
The attacker forges license tokens independently and does not need any action from a user or operator of the affected system.
Attack complexityDetail
Exploitation is reliable and condition-free; extracting the key requires only reading source code or running a string-extraction tool against a released binary.

Blast Radius

Attacker generates license tokens for any subject and any expiration date, granting themselves or others full access under forged licensing terms.
The entire license-enforcement mechanism is rendered ineffective whenever the license Cargo feature is enabled, removing any access or entitlement controls it enforces.
Operators lose the ability to audit or revoke license grants, because tokens signed with the publicly known key are indistinguishable from legitimately issued ones.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected registries and CI pipelines, matching images that carry RustFS versions earlier than 1.0.0-beta.2. A patched-image rebuild at 1.0.0-beta.2 is available for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is deployed, compensating controls worth considering include network-policy isolation to restrict which internal services can reach the RustFS API, egress filtering to prevent externally forged tokens from reaching the deployment, and temporarily disabling the license Cargo feature if operational requirements permit.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

rustfs / rustfs
< 1.0.0-beta.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-923g-jp7v-f97f