CVE-2026-22782
Published: 16 January 2026
Summary
CVE-2026-22782 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Rustfs Rustfs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Procedures mandate excluding sensitive data from logs to prevent unauthorized exposure via audit records.
Identifies insertion of sensitive data into logs, allowing detection of unauthorized disclosure.
Cross-organizational coordination enables agreement on what data to include in audit logs, directly reducing insertion of sensitive information.
Identifying logging as a data action allows prevention of sensitive information being inserted into log files.
The process of identifying and eradicating spilled information applies directly to sensitive data inserted into log files.
Specific processing rules for sensitive PII categories commonly include restrictions on logging, making insertion of such data into log files less likely.
PIAs detect planned or existing logging of PII and require removal or protection, preventing insertion of sensitive information into logs.
Limits insertion of sensitive operational details into logs by treating such data as key information requiring protection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated trigger on public-facing RPC endpoint directly matches T1190; resulting exposure of HMAC secret in logs enables credential access matching T1552.
NVD Description
RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged…
more
RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.
Deeper analysisAI
CVE-2026-22782 affects RustFS, a distributed object storage system implemented in Rust, specifically versions from 1.0.0-alpha.1 through 1.0.0-alpha.79. The vulnerability resides in the `crates/ecstore/src/rpc/http_auth.rs` module, where invalid RPC signatures trigger logging of sensitive data. In the invalid signature handling branch (lines 115-122), the server logs the shared HMAC secret along with the expected signature, both derived from the shared HMAC key. This exposure, classified as CWE-532 (Insertion of Sensitive Information into Log File), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
Any unauthenticated remote attacker can exploit this by sending an invalidly signed RPC or admin request, which reaches the vulnerable function and causes the server to log the HMAC secret. Log readers with access to server logs—such as administrators, monitoring systems, or compromised hosts—can extract the secret, enabling them to forge valid RPC calls. This compromises the integrity of RPC authentication, potentially allowing unauthorized access to object storage operations.
The vulnerability is addressed in RustFS version 1.0.0-alpha.80, as detailed in the fix commit at https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 and the GitHub Security Advisory GHSA-333v-68xh-8mmq at https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq. Practitioners should upgrade to the patched version and review logs for exposed secrets, avoiding reliance on RPC signature validation alone for access control. The vulnerable code is viewable at https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122.
Details
- CWE(s)