Cyber Resilience

CVE-2026-22782

LowPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.8th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22782 is a low-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Rustfs Rustfs. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and AU-9 (Protection of Audit Information).

Deeper analysis

CVE-2026-22782 affects RustFS, a distributed object storage system implemented in Rust, specifically versions from 1.0.0-alpha.1 through 1.0.0-alpha.79. The vulnerability resides in the `crates/ecstore/src/rpc/http_auth.rs` module, where invalid RPC signatures trigger logging of sensitive data. In the invalid signature handling branch (lines 115-122), the server logs the shared HMAC secret along with the expected signature, both derived from the shared HMAC key. This exposure, classified as CWE-532 (Insertion of Sensitive Information into Log File), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Any unauthenticated remote attacker can exploit this by sending an invalidly signed RPC or admin request, which reaches the vulnerable function and causes the server to log the HMAC secret. Log readers with access to server logs—such as administrators, monitoring systems, or compromised hosts—can extract the secret, enabling them to forge valid RPC calls. This compromises the integrity of RPC authentication, potentially allowing unauthorized access to object storage operations.

The vulnerability is addressed in RustFS version 1.0.0-alpha.80, as detailed in the fix commit at https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 and the GitHub Security Advisory GHSA-333v-68xh-8mmq at https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq. Practitioners should upgrade to the patched version and review logs for exposed secrets, avoiding reliance on RPC signature validation alone for access control. The vulnerable code is viewable at https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122.

EU & UK References

Vulnerability details

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged…

more

RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Remote unauthenticated trigger on public-facing RPC endpoint directly matches T1190; resulting exposure of HMAC secret in logs enables credential access matching T1552.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24762Same product: Rustfs Rustfs
CVE-2026-21862Same product: Rustfs Rustfs
CVE-2025-68705Same product: Rustfs Rustfs
CVE-2026-40937Same product: Rustfs Rustfs
CVE-2026-27607Same product: Rustfs Rustfs
CVE-2026-22042Same product: Rustfs Rustfs
CVE-2026-22043Same product: Rustfs Rustfs
CVE-2026-27822Same product: Rustfs Rustfs
CVE-2025-68926Same product: Rustfs Rustfs
CVE-2024-48852Shared CWE-532

Affected Assets

rustfs
rustfs
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 ensures error handling for invalid RPC signatures does not log sensitive HMAC secrets, directly preventing the information disclosure in RustFS server logs.

prevent

AU-3 mandates that content of audit records excludes sensitive information like shared HMAC keys, avoiding their inclusion in logs triggered by invalid signatures.

prevent

AU-9 protects audit information and logs from unauthorized access or modification, mitigating exposure of any accidentally logged HMAC secrets to log readers.

References