CVE-2025-68926

Published Dec 30, 2025

Last updated 2 days ago

CVSS critical 9.8
RustFS

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-68926 affects RustFS, a distributed object storage system. Prior to version 1.0.0-alpha.77, RustFS uses a hardcoded static token, "rustfs rpc", for gRPC authentication. This token is exposed in the source code repository and is the same on both the client and server sides. The hardcoded token is non-configurable, lacks a rotation mechanism, and is universally valid across all RustFS deployments. An attacker with network access to the gRPC port can use this publicly known token to authenticate and perform privileged operations, including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 addresses this vulnerability.

Description
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-287

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

5

  1. 🚨 CVE-2025-68926 - critical 🚨 RustFS < 1.0.0-alpha.77 - Hardcoded gRPC Authentication Token > RustFS before 1.0.0-alpha.77 used a hardcoded gRPC authentication token "rustfs rpc" ... 👾 https://t.co/bHyVJJ2r7x @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    6 Jan 2026

    87 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. CVE-2025-68926 RustFS gRPC Hardcoded. 2024-09-27: Hardcoded token "rustfs rpc" introduced• 2024-10-01: Vulnerable release published• 2026-01-05: Patched version released• Exposure: ~15 monthshttps://github.com/rustfs/rustfs/commit/04ab9d75a97014d3056d4affcb0a0987c0d29a01 ht

    @MortyJin

    6 Jan 2026

    112 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️⚠️ CVE-2025-68926(CVSS 9.8): Critical Hardcoded Credential Flaw Exposes RustFS Storage Clusters 📖Details:https://t.co/1O7JgR4b2K 🔗FOFA Link: https://t.co/vWqmYyZisP 🎯2.8k+ Results are found on the https://t.co/pb16tGYaKe nearly year. FOFA Query: app="RUSTFS-Rus

    @fofabot

    5 Jan 2026

    2381 Impressions

    10 Retweets

    46 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  4. GitHub - Chocapikk/CVE-2025-68926: CVE-2025-68926 - RustFS Hardcoded gRPC Authentication Token Exploit - https://t.co/w3Haw1NGsQ

    @piedpiper1616

    5 Jan 2026

    3173 Impressions

    8 Retweets

    36 Likes

    10 Bookmarks

    1 Reply

    0 Quotes

  5. 2025 下半年是 CVE 快樂年呢,每幾週就會有很生草的 CVE 漏洞。RustFS,一個有 19.1K GitHub Stars 的 MINIO 替代品,爆出了一個 CVSS 分數達 9.8 的漏洞 (CVE-2025-68926)。 原因也是非常笨:RustFS 的控制台 (console) 裡面使用了 gRP

    @byStarTW

    4 Jan 2026

    218 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. wtf I'm seeing here? CVE-2025-68926 gRPC Hardcoded Token Authentication Bypass https://t.co/n4L0e4JWuk https://t.co/WnMV4U6vFI

    @h4x0r_dz

    4 Jan 2026

    33697 Impressions

    28 Retweets

    258 Likes

    106 Bookmarks

    8 Replies

    2 Quotes

  7. 🚨Alert🚨 CVE-2025-68926 (CVSS 9.8): Critical Hardcoded Credential Flaw Exposes RustFS Storage Clusters. 🧐Detail :https://t.co/RBnUrdDmyY 📊 18.1K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/DOuuryzojt 👇Query HUNTER : https:/

    @HunterMapping

    4 Jan 2026

    2737 Impressions

    9 Retweets

    51 Likes

    13 Bookmarks

    1 Reply

    0 Quotes

  8. 🚨Alert🚨 CVE-2025-68926 (CVSS 9.8): Critical Hardcoded Credential Flaw Exposes RustFS Storage Clusters. 🧐Detail :https://t.co/RBnUrdDmyY 📊 18.1K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/DOuuryzojt 👇Query HUNTER :

    @HunterMapping

    4 Jan 2026

    71 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨Alert🚨 CVE-2025-68926 (CVSS 9.8): Critical Hardcoded Credential Flaw Exposes RustFS Storage Clusters. 🧐Detail :https://t.co/RBnUrdDmyY 📊 18.1K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/DOuuryzojt 👇Query HUNTER : https:/

    @HunterMapping

    4 Jan 2026

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 cve-2025-68926 (CVSS 9.8): RustFS has a gRPC Hardcoded Token Authentication Bypass RustFS is vulnerable to a gRPC hardcoded token authentication bypass due to a static, non-configurable token exposed in source code, allowing attackers to authenticate and perform privileged

    @zoomeye_team

    4 Jan 2026

    3330 Impressions

    8 Retweets

    40 Likes

    20 Bookmarks

    1 Reply

    0 Quotes

  11. The Rust Security Myth? 🦀🔓 Rust is known for memory safety, but it can’t stop human error. CVE-2025-68926 (CWE-798) has just exposed a massive flaw in RustFS Full Report: 🔗 https://t.co/lZs9UfsKfl #CyberSecurity #CloudSecurity #RustLang #DataBreach #InfoSec #CYBERDU

    @Iambivash007

    2 Jan 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 分散型オブジェクトストレージRustFSに重大(Critical)な脆弱性。CVE-2025-68926はCVSSスコア9.8のハードコードされた認証情報。gRPC認証機構のシークレットキーが"rustfs rpc"だった(ソースコードとして公開済)。PoC(

    @__kokumoto

    2 Jan 2026

    1069 Impressions

    1 Retweet

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  13. CVE-2025-68926 Hardcoded Authentication Token Vulnerability in RustFS gRPC Service Before 1.0.0-alpha.77 https://t.co/DPHJDXF8tn

    @VulmonFeeds

    31 Dec 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. [CVE-2025-68926: CRITICAL] Critical security flaw in RustFS versions <1.0.0-alpha.77 exposes network access to gRPC port due to hardcoded static authentication token. Update to v1.0.0-alpha.77 to fix the issue.#cve,CVE-2025-68926,#cybersecurity https://t.co/hALrrLrlPR https://

    @CveFindCom

    30 Dec 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🔴 CVE-2025-68926 - Critical RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that ... https://t.co/4t4xudBsyQ https://t.co/6XL7QM9IJp

    @TheHackerWire

    30 Dec 2025

    56 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.