In RustFS, an invalid RPC signature causes the server to log the shared HMAC secret and the expected signature. When any malformed request is received, the log entry contains the secret key that authenticates RPC calls. This leak exposes the secret to anyone who can read the server logs, enabling an attacker to forge valid RPC requests and bypass authentication. The vulnerability is a classic example of sensitive data being written to logs, as described by CWE-532.

RustFS, the distributed object storage system written in Rust, contains the vulnerability in all releases from 1.0.0-alpha.1 through 1.0.0-alpha.79. The fix is included in version 1.0.0-alpha.80 and later.

The CVSS score of 2.9 indicates low technical severity, and the EPSS score of less than 1% reflects a low probability of exploitation in the wild. RustFS is not listed in the CISA KEV catalog. Nonetheless, an attacker who can send RPC or admin requests with an invalid signature will trigger the logging path. If the attacker has read access to the logs or can obtain them from a compromised machine, they can extract the HMAC key and then forge authenticated RPC calls. The attack vector is remote, via the RPC interface, and does not allow arbitrary code execution, but it does permit denial of authenticity and potential further compromise.