CVE-2025-68926: Critical Hardcoded Credential Flaw Exposes RustFS Storage Clusters

RustFS, a distributed object storage system celebrated for leveraging the memory safety and performance of the Rust programming language, has stumbled over a decidedly old-school security hurdle. A critical vulnerability has been disclosed revealing that the system relies on a static, hardcoded token for authentication, essentially leaving the keys to the kingdom under the doormat for any attacker to find.

The vulnerability, tracked as CVE-2025-68926, has been assigned a near-max CVSS score of 9.8, reflecting its severity and ease of exploitation. While Rust code safeguards against memory corruption, it cannot protect against logical design failures—in this case, a password baked directly into the source code.

The flaw lies in the system’s gRPC authentication mechanism. Instead of using dynamic keys or configurable secrets, the developers hardcoded a static string literal directly into the application logic.

The secret token? Simply: “rustfs rpc”.

According to the vulnerability report, this token is “publicly exposed in the source code repository” and is “universally valid across all RustFS deployments”. This means that every default installation of RustFS shares the exact same administrative password, which cannot be changed without modifying the source code and recompiling the software.

Because this token controls internal gRPC communication, possessing it grants an attacker the same privileges as the storage cluster’s internal nodes.

The report warns that the impact is critical: “Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes”.

The technical analysis identifies specific files where the security sin was committed. In rustfs/src/server/http.rs, the server checks for the authorization header against the hardcoded string.

“Static token hardcoded as string literal,” the analysis notes, highlighting that there is “no configuration mechanism (environment variable, file, etc.)” to override it.

The client-side code (crates/protos/src/lib.rs) is equally compromised, using the same string to initiate connections. This symmetry ensures that “token cannot be rotated without code changes”.

Until a patch is applied that introduces proper secret management, RustFS clusters utilizing this default configuration should be considered wide open to anyone who knows where to look.

Related Posts:

• NGINX will support gRPC on the next version
• Cryptojacking Alert: Hackers Exploit gRPC and HTTP/2 to Deploy Miners
• Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw
• Chrome Extension Security Alert: Hidden API Keys Expose 21M+ Users to Risk!
• Ivanti Patches High-Severity Credential Decryption Flaws in Workspace Control