Critical Hardcoded Credential Vulnerability in RustFS Storage Clusters
A critical vulnerability, tracked as CVE-2025-68926, was discovered in the RustFS distributed object storage system. The flaw involves the use of a hardcoded static token ("rustfs rpc") for gRPC authentication, which is publicly exposed in the source code and is non-configurable, with no mechanism for token rotation. This token is valid across all RustFS deployments prior to version 1.0.0-alpha.77, allowing any attacker with network access to the gRPC port to authenticate and perform privileged operations such as data destruction, policy manipulation, and cluster configuration changes. The issue has been addressed in version 1.0.0-alpha.77, which removes the hardcoded credential and implements proper authentication controls.
Security researchers have rated this vulnerability as critical, assigning it a CVSS score of 9.8 due to the ease of exploitation and the potential impact on data integrity and availability. Organizations using affected versions of RustFS are strongly advised to upgrade to the patched release immediately to mitigate the risk of unauthorized access and potential compromise of storage clusters. No evidence of exploitation in the wild has been reported as of the latest advisories, but the public nature of the token significantly increases the risk of opportunistic attacks.
Timeline
Jan 4, 2026
Nuclei template pull request adds detection for CVE-2025-68926
A ProjectDiscovery nuclei-templates pull request was opened to add detection coverage for CVE-2025-68926. The submission noted the issue was verified against RustFS 1.0.0-alpha.76 and referenced GitHub Security Advisory GHSA-h956-rh7x-ppgj.
Dec 30, 2025
CVE-2025-68926 disclosed as critical RustFS auth bypass
CVE-2025-68926 was publicly disclosed as a critical vulnerability affecting RustFS versions before 1.0.0-alpha.77. The flaw stems from a hardcoded static gRPC token ('rustfs rpc') that allows remote attackers with network access to bypass authentication and perform privileged operations.
Dec 30, 2025
RustFS releases fix in version 1.0.0-alpha.77
RustFS fixed a critical authentication bypass issue in version 1.0.0-alpha.77 by removing the hardcoded gRPC token from both client and server components. Users were advised to upgrade to this version or later to mitigate the risk.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Hardcoded Secrets Enable Authentication Bypass in Open-Source Infrastructure (RustFS and Open5GS WebUI)
Two critical hardcoded-secret weaknesses were disclosed in widely used open-source infrastructure components, enabling attackers to bypass authentication and obtain administrative control when exposed or left at insecure defaults. In **RustFS** (an object storage platform often used for backups, logs, and operational data), **CVE-2025-68926** (CVSS 9.8) stems from a *non-rotatable static authentication token* embedded in source code on both client and server sides; an attacker with access to the exposed **gRPC management port** can use the known token to bypass authentication and gain admin access, creating risk of data integrity loss and service disruption. In **Open5GS** (an open-source 5G core implementation), **CVE-2026-0622** affects the optional *WebUI* management interface and arises from default **hardcoded cryptographic secrets** used for **JWT signing**. If operators do not change the default environment variables (reportedly set to `change-me`), an attacker can forge valid JWTs, impersonate an administrator, and gain full WebUI privileges—potentially including configuration and subscriber-data management—while also bypassing controls that rely on authenticated context (e.g., CSRF protections).
1 months ago
Rclone RC Flaws Enable Unauthenticated Auth Bypass and Command Execution
Two high-severity vulnerabilities in **Rclone** expose its remote control (RC) interface to unauthenticated abuse on deployments that do not enforce global HTTP authentication. **`CVE-2026-41176`** affects versions from `1.45.0` through before `1.73.5` and allows attackers to call the `options/set` endpoint to set `rc.NoAuth=true`, disabling authorization checks for many RC methods and opening access to sensitive administrative, configuration, and operational functions. A second flaw, **`CVE-2026-41179`**, affects versions from `1.48.0` through before `1.73.5` and stems from the `operations/fsinfo` endpoint not requiring authentication while accepting attacker-controlled `fs` input. Because Rclone can instantiate inline backend definitions through `rc.GetFs(...)`, an attacker can create a malicious backend on demand; in the **WebDAV** backend, the `bearer_token_command` option is executed during initialization, enabling single-request unauthenticated local command execution. Both issues were patched in **Rclone `1.73.5`** and were classified under **CWE-306**, with `CVE-2026-41179` also mapped to **CWE-78**.
1 weeks ago
rust-openssl Flaws Enable Memory Disclosure and Buffer Overwrite
Two high-severity vulnerabilities were disclosed in **rust-openssl**, the Rust bindings for OpenSSL, affecting multiple `0.9.x` and `0.10.x` releases prior to **`0.10.78`**. **`CVE-2026-41898`** affects versions from `0.9.24` up to, but not including, `0.10.78`, where several FFI trampoline callback paths passed a closure-returned `usize` to OpenSSL without validating it against the output buffer size. The flaw can trigger buffer overflows and leak adjacent memory to a network peer, and it is mapped to **`CWE-126`** and **`CWE-130`**. A second issue, **`CVE-2026-41681`**, affects versions from `0.10.39` up to, but not including, `0.10.78`, in `MdCtxRef::digest_final()`, which writes `EVP_MD_CTX_size(ctx)` bytes to the caller buffer without checking whether the buffer is large enough. The resulting out-of-bounds write can cause stack corruption and is reachable from safe Rust, with the weakness classified as **`CWE-121`**. Both vulnerabilities were addressed in **`rust-openssl 0.10.78`**, with public advisories, code references, and fix details released alongside the CVE records.
1 weeks ago