CVE-2026-24762
Published: 03 February 2026
Summary
CVE-2026-24762 is a medium-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Rustfs Rustfs. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24762 affects RustFS, a distributed object storage system implemented in Rust, specifically versions from alpha.13 to alpha.81 inclusive. The vulnerability involves the logging of sensitive credential material—including access keys, secret keys, and session tokens—at the INFO log level in plaintext within application logs. This exposure, classified under CWE-532 (Insertion of Sensitive Information into Log File), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.
Attackers can exploit this issue by gaining access to the RustFS application logs, which may be consumed internally by administrators, monitoring systems, or externally via log aggregation services. No special privileges or user interaction are required, allowing any entity with log read permissions—such as compromised internal accounts, misconfigured log shipping, or external log viewers—to extract the plaintext credentials. Successful exploitation enables full compromise of the associated credentials, potentially granting unauthorized access to RustFS storage resources or linked services.
The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr details the patch in RustFS version alpha.82, which addresses the logging of sensitive material. Security practitioners should upgrade to alpha.82 or later and review existing logs from affected versions for credential exposure, implementing log access controls and rotation to mitigate risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5218
Vulnerability details
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext…
more
in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Plaintext credential logging in application log files directly enables T1552.001 by exposing access/secret keys and tokens in files accessible to attackers with log read permissions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the flaw in RustFS versions alpha.13 to alpha.81 that logs sensitive credentials in plaintext by applying the patch released in alpha.82.
Protects application logs containing exposed access keys, secret keys, and session tokens from unauthorized access, modification, or deletion, preventing exploitation by log consumers.
Monitors for unauthorized disclosure of sensitive credentials from RustFS application logs, identifying potential compromises via internal or external log access.