GHSA-333V-68XH-8MMQ

Vulnerability from github – Published: 2026-01-16 15:48 – Updated: 2026-01-16 19:10
VLAI?
Summary
RustFS's RPC signature verification logs shared secret
Details

Summary

Invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls.

Details

In crates/ecstore/src/rpc/http_auth.rs:115-122 , the invalid signature branch logs sensitive data:

if signature != expected_signature {
    error!(
        "verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}",
        secret, url, method, timestamp, signature, expected_signature
    );

    return Err(std::io::Error::other("Invalid signature"));
}

This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers.

PoC

  1. Run RustFS with error logging enabled.
  2. Send a request with an invalid signature: ts=$(date +%s) curl -v \ -H "x-rustfs-timestamp: $ts" \ -H "x-rustfs-signature: invalid-signature" \ "http://localhost:9000/rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1"
  3. Observed output: HTTP 403 AccessDenied: Invalid signature verify_rpc_signature: Invalid signature: secret rustfsadmin, url /rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1, method GET, timestamp 1767852115, signature invalid-signature, expected_signature oisNxNRTb80GXf97s/PGdScJzu8QB9Oxs+uOwf8RiK8=

Impact

  • Exposes the shared RPC HMAC secret to log readers.
  • Enables attackers with log access to forge valid RPC signatures and make unauthorized RPC calls.
Severity ?
2.9 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0-alpha.79"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "rustfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-alpha.1"
            },
            {
              "fixed": "1.0.0-alpha.80"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-16T15:48:58Z",
    "nvd_published_at": "2026-01-16T17:15:54Z",
    "severity": "LOW"
  },
  "details": "### Summary\nInvalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls.\n\n### Details\nIn [`crates/ecstore/src/rpc/http_auth.rs:115-122`](https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122) , the invalid signature branch logs sensitive data:\n```rs\nif signature != expected_signature {\n    error!(\n        \"verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}\",\n        secret, url, method, timestamp, signature, expected_signature\n    );\n\n    return Err(std::io::Error::other(\"Invalid signature\"));\n}\n```\n\nThis log line includes `secret` and `expected_signature`, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers.\n\n### PoC\n1. Run RustFS with error logging enabled.\n1. Send a request with an invalid signature:\n    ```\n     ts=$(date +%s)\n     curl -v \\\n       -H \"x-rustfs-timestamp: $ts\" \\\n       -H \"x-rustfs-signature: invalid-signature\" \\\n       \"http://localhost:9000/rustfs/rpc/read_file_stream?disk=foo\u0026volume=bar\u0026path=baz\u0026offset=0\u0026length=1\"\n    ```\n1. Observed output:\n    ```\n     HTTP 403 AccessDenied: Invalid signature\n     verify_rpc_signature: Invalid signature: secret rustfsadmin, url /rustfs/rpc/read_file_stream?disk=foo\u0026volume=bar\u0026path=baz\u0026offset=0\u0026length=1, method GET, timestamp 1767852115, signature invalid-signature, expected_signature oisNxNRTb80GXf97s/PGdScJzu8QB9Oxs+uOwf8RiK8=\n    ```\n### Impact\n\n- Exposes the shared RPC HMAC secret to log readers.\n- Enables attackers with log access to forge valid RPC signatures and make unauthorized RPC calls.",
  "id": "GHSA-333v-68xh-8mmq",
  "modified": "2026-01-16T19:10:59Z",
  "published": "2026-01-16T15:48:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rustfs/rustfs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RustFS\u0027s RPC signature verification logs shared secret"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.