Cyber Resilience

CVE-2026-24762

Medium

Published: 03 February 2026

Published
03 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24762 is a medium-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Rustfs Rustfs. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24762 affects RustFS, a distributed object storage system implemented in Rust, specifically versions from alpha.13 to alpha.81 inclusive. The vulnerability involves the logging of sensitive credential material—including access keys, secret keys, and session tokens—at the INFO log level in plaintext within application logs. This exposure, classified under CWE-532 (Insertion of Sensitive Information into Log File), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.

Attackers can exploit this issue by gaining access to the RustFS application logs, which may be consumed internally by administrators, monitoring systems, or externally via log aggregation services. No special privileges or user interaction are required, allowing any entity with log read permissions—such as compromised internal accounts, misconfigured log shipping, or external log viewers—to extract the plaintext credentials. Successful exploitation enables full compromise of the associated credentials, potentially granting unauthorized access to RustFS storage resources or linked services.

The GitHub Security Advisory at https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr details the patch in RustFS version alpha.82, which addresses the logging of sensitive material. Security practitioners should upgrade to alpha.82 or later and review existing logs from affected versions for credential exposure, implementing log access controls and rotation to mitigate risks.

EU & UK References

Vulnerability details

RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext…

more

in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Plaintext credential logging in application log files directly enables T1552.001 by exposing access/secret keys and tokens in files accessible to attackers with log read permissions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22782Same product: Rustfs Rustfs
CVE-2026-27607Same product: Rustfs Rustfs
CVE-2025-68705Same product: Rustfs Rustfs
CVE-2026-22042Same product: Rustfs Rustfs
CVE-2026-21862Same product: Rustfs Rustfs
CVE-2026-22043Same product: Rustfs Rustfs
CVE-2026-40937Same product: Rustfs Rustfs
CVE-2026-27822Same product: Rustfs Rustfs
CVE-2025-68926Same product: Rustfs Rustfs
CVE-2024-7577Shared CWE-532

Affected Assets

rustfs
rustfs
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in RustFS versions alpha.13 to alpha.81 that logs sensitive credentials in plaintext by applying the patch released in alpha.82.

prevent

Protects application logs containing exposed access keys, secret keys, and session tokens from unauthorized access, modification, or deletion, preventing exploitation by log consumers.

detect

Monitors for unauthorized disclosure of sensitive credentials from RustFS application logs, identifying potential compromises via internal or external log access.

References