Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.
Published: 2026-05-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RustFS version releases before 1.0.0-beta.2 embed a 2048‑bit RSA private key in the source and binary. The key is used to verify license tokens, so anyone who can obtain it can create arbitrary license tokens with any subject or expiration. This defeats the license enforcement and allows an attacker to run RustFS with full privileges or enable features that would otherwise be restricted.

Affected Systems

The RustFS project, distributed under the rustfs:rustfs brand, is affected in all releases up to 1.0.0-beta.1. Users running those older versions should consult the project’s release notes and upgrade to 1.0.0-beta.2 or later.

Risk and Exploitability

The CVSS score of 8.7 highlights this vulnerability as high severity. Because the key is stored in the binary and source, an attacker who has access to the repository or the compiled package can easily retrieve it and generate valid license tokens; however, the availability of public exploitation is not known and it is not listed in the CISA KEV catalog. The exploit probability is therefore considered moderate for environments where the binary or source can be inspected. The vulnerability’s main impact is the potential for an attacker to abuse backed‑by‑license functionality or elevate privileges within a RustFS deployment.

Generated by OpenCVE AI on May 28, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RustFS to version 1.0.0-beta.2 or later, which removes the hard‑coded private key.
  • If an upgrade is not immediately possible, disable the license verification feature by removing the license Cargo feature from the build configuration so that generated license tokens are not checked.
  • Revoke any license tokens that may have been forged using the exposed key and invalidate all stored keys in client configurations to prevent continued use of the compromised credentials.

Generated by OpenCVE AI on May 28, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Rustfs
Rustfs rustfs
Vendors & Products Rustfs
Rustfs rustfs

Thu, 28 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.
Title RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery
Weaknesses CWE-321
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rustfs Rustfs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:04:39.259Z

Reserved: 2026-05-08T18:07:27.341Z

Link: CVE-2026-45041

cve-icon Vulnrichment

Updated: 2026-05-29T14:04:29.618Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T19:16:38.697

Modified: 2026-05-29T15:16:23.243

Link: CVE-2026-45041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:45:26Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key