CVE-2025-68926

RustFS: The 'rustfs rpc' Skeleton Key (CVE-2025-68926)

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·5 min read·28 visits

Executive Summary (TL;DR)

RustFS versions prior to 1.0.0-alpha.77 contain a hardcoded gRPC authentication token ('rustfs rpc'). Attackers can use this token to bypass all authentication checks, allowing them to delete buckets, modify policies, and seize control of the storage cluster via standard gRPC tools.

A critical authentication bypass in the RustFS distributed object storage system allows unauthenticated attackers to gain full administrative control by sending a specific hardcoded string in the gRPC authorization header.

Official Patches

RustFSOfficial Repository

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.07%
Top 100% most exploited

Affected Systems

RustFS < 1.0.0-alpha.77

Affected Versions Detail

Product
Affected Versions
Fixed Version
RustFS
RustFS
< 1.0.0-alpha.771.0.0-alpha.77
AttributeDetail
CWECWE-798 (Use of Hard-coded Credentials)
CVSS v3.19.8 (Critical)
Attack VectorNetwork (gRPC)
Privileges RequiredNone
Port9000/TCP
Token Value"rustfs rpc"

MITRE ATT&CK Mapping

T1078Valid Accounts
Initial Access
T1190Exploit Public-Facing Application
Initial Access
CWE-798
Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Known Exploits & Detection

ManualExploitation is trivial via any gRPC client using the header 'authorization: rustfs rpc'.

Vulnerability Timeline

Vulnerability identified in codebase
2025-01-15
Patch released in version 1.0.0-alpha.77
2025-02-01