Cyber Resilience

CVE-2026-45039

CriticalUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 18.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45039 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to…

more

the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Default hardcoded RPC secret enables remote exploitation of public-facing storage service via known credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25202Shared CWE-798
CVE-2025-35452Shared CWE-1392, CWE-798
CVE-2024-8893Shared CWE-798
CVE-2026-22273Shared CWE-1392
CVE-2026-1221Shared CWE-798
CVE-2023-53983Shared CWE-798
CVE-2024-57040Shared CWE-798
CVE-2026-22769Shared CWE-798
CVE-2025-67418Shared CWE-798
CVE-2025-0482Shared CWE-1392

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798 CWE-1392

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798 CWE-1392

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798 CWE-1392

Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.

addresses: CWE-798 CWE-1392

Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.

addresses: CWE-798 CWE-1392

Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-1392

Mandates replacement of default credentials during secure configuration and provisioning procedures.

References