RustFS: The 'rustfs rpc' Skeleton Key (CVE-2025-68926)

Alon Barad

Software Engineer

Jan 1, 2026·5 min read·32 visits

PoC Available

Executive Summary (TL;DR)

RustFS versions prior to 1.0.0-alpha.77 contain a hardcoded gRPC authentication token ('rustfs rpc'). Attackers can use this token to bypass all authentication checks, allowing them to delete buckets, modify policies, and seize control of the storage cluster via standard gRPC tools.

A critical authentication bypass in the RustFS distributed object storage system allows unauthenticated attackers to gain full administrative control by sending a specific hardcoded string in the gRPC authorization header.

Attack Flow Diagram

Official Patches

RustFSOfficial Repository

Technical Appendix

CVSS Score

9.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.07%

Top 100% most exploited

Affected Systems

RustFS < 1.0.0-alpha.77

Affected Versions Detail

Product	Affected Versions	Fixed Version
RustFS RustFS	< 1.0.0-alpha.77	1.0.0-alpha.77

Attribute	Detail
CWE	CWE-798 (Use of Hard-coded Credentials)
CVSS v3.1	9.8 (Critical)
Attack Vector	Network (gRPC)
Privileges Required	None
Port	9000/TCP
Token Value	"rustfs rpc"

MITRE ATT&CK Mapping

T1078Valid Accounts

Initial Access

T1190Exploit Public-Facing Application

Initial Access

CWE-798

Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Known Exploits & Detection

ManualExploitation is trivial via any gRPC client using the header 'authorization: rustfs rpc'.

Vulnerability Timeline

Vulnerability identified in codebase

2025-01-15

Patch released in version 1.0.0-alpha.77

2025-02-01