{"id":"CVE-2026-45040","summary":"RustFS: Sensitive Information Leakage (SessionToken and SecretAccessKey) in RustFS Logs [Debug Mode]","details":"RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2.","aliases":["GHSA-8cm2-h255-v749"],"modified":"2026-07-08T08:13:30.399784258Z","published":"2026-05-28T18:35:48.505Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45040.json","cwe_ids":["CWE-312","CWE-532"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45040.json"},{"type":"ADVISORY","url":"https://github.com/rustfs/rustfs/security/advisories/GHSA-8cm2-h255-v749"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45040"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rustfs/rustfs","events":[{"introduced":"0"},{"fixed":"9f07029373af3c989bb26ac98a7df2c086b37c5c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.0.0-beta.2"}],"source":"AFFECTED_FIELD"}}],"versions":["v1.0.0-beta.1","1.0.0-beta.1","1.0.0-alpha.99","1.0.0-alpha.98","1.0.0-alpha.97","1.0.0-alpha.96","1.0.0-alpha.95","1.0.0-alpha.94","1.0.0-alpha.93","1.0.0-alpha.92","1.0.0-alpha.91","1.0.0-alpha.90","1.0.0-alpha.89","1.0.0-alpha.88","1.0.0-alpha.87","1.0.0-alpha.86","1.0.0-alpha.85","1.0.0-alpha.84","1.0.0-alpha.83","1.0.0-alpha.82","1.0.0-alpha.81","1.0.0-alpha.80","1.0.0-alpha.79","1.0.0-alpha.78","1.0.0-alpha.77","1.0.0-alpha.76","1.0.0-alpha.75","1.0.0-alpha.74","1.0.0-alpha.73","1.0.0-alpha.72","1.0.0-alpha.71","1.0.0-alpha.70","1.0.0-alpha.69","1.0.0-alpha.68","1.0.0-alpha.67","1.0.0-alpha.66","1.0.0-alpha.65","1.0.0-alpha.64","1.0.0-alpha.63","1.0.0-alpha.62","1.0.0-alpha.61","1.0.0-alpha.60","1.0.0-alpha.59","1.0.0-alpha.58","1.0.0-alpha.57","1.0.0-alpha.56","1.0.0-alpha.55","1.0.0-alpha.54","1.0.0-alpha.53","1.0.0-alpha.52","1.0.0-alpha.51","1.0.0-alpha.50","1.0.0-alpha.49","1.0.0-alpha.48","1.0.0-alpha.47","1.0.0-alpha.46","1.0.0-alpha.45","1.0.0-alpha.44","1.0.0-alpha.43","1.0.0-alpha.42","1.0.0-alpha.41","1.0.0-alpha.40","1.0.0-alpha.39","1.0.0-alpha.38","1.0.0-alpha.37","1.0.0-alpha.36","1.0.0-alpha.35","1.0.0-alpha.34","1.0.0-alpha.33","1.0.0-alpha.32","1.0.0-alpha.31","1.0.0-alpha.30","1.0.0-alpha.29","1.0.0-alpha.28","1.0.0-alpha.27","1.0.0-alpha.26","1.0.0-alpha.25","1.0.0-alpha.24","1.0.0-alpha.23","1.0.0-alpha.22","1.0.0-alpha.21","1.0.0-alpha.20","1.0.0-alpha.19","1.0.0-alpha.18","1.0.0-alpha.17","1.0.0-alpha.16","1.0.0-alpha.15","1.0.0-alpha.14","1.0.0-alpha.13","1.0.0-alpha.12","1.0.0-alpha.11","1.0.0-alpha.10","1.0.0-alpha.9","1.0.0-alpha.8","1.0.0-alpha.7","1.0.0-alpha.6","1.0.0-alpha.5","1.0.0-alpha.4","1.0.0-alpha.3","1.0.0-alpha.2","1.0.0-alpha.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45040.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}