CVE-2026-24762
Published: 03 February 2026
Summary
CVE-2026-24762 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Rustfs Rustfs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Procedures mandate excluding sensitive data from logs to prevent unauthorized exposure via audit records.
Identifies insertion of sensitive data into logs, allowing detection of unauthorized disclosure.
Cross-organizational coordination enables agreement on what data to include in audit logs, directly reducing insertion of sensitive information.
Identifying logging as a data action allows prevention of sensitive information being inserted into log files.
The process of identifying and eradicating spilled information applies directly to sensitive data inserted into log files.
Specific processing rules for sensitive PII categories commonly include restrictions on logging, making insertion of such data into log files less likely.
PIAs detect planned or existing logging of PII and require removal or protection, preventing insertion of sensitive information into logs.
Limits insertion of sensitive operational details into logs by treating such data as key information requiring protection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Plaintext credential logging in application log files directly enables T1552.001 by exposing access/secret keys and tokens in files accessible to attackers with log read permissions.
NVD Description
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext…
more
in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82.
Deeper analysisAI
CVE-2026-24762 affects RustFS, a distributed object storage system implemented in Rust, specifically versions from alpha.13 to alpha.81 inclusive. The vulnerability involves the logging of sensitive credential material—including access keys, secret keys, and session tokens—at the INFO log level in plaintext within application logs. This exposure, classified under CWE-532 (Insertion of Sensitive Information into Log File), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.
Attackers can exploit this issue by gaining access to the RustFS application logs, which may be consumed internally by administrators, monitoring systems, or externally via log aggregation services. No special privileges or user interaction are required, allowing any entity with log read permissions—such as compromised internal accounts, misconfigured log shipping, or external log viewers—to extract the plaintext credentials. Successful exploitation enables full compromise of the associated credentials, potentially granting unauthorized access to RustFS storage resources or linked services.
The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr details the patch in RustFS version alpha.82, which addresses the logging of sensitive material. Security practitioners should upgrade to alpha.82 or later and review existing logs from affected versions for credential exposure, implementing log access controls and rotation to mitigate risks.
Details
- CWE(s)