CVE-2026-45041
RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2.
| CWE | CWE-321 |
| Vendor | rustfs |
| Product | rustfs |
| Published | May 28, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for rustfs rustfs
Be the first to know when new unknown vulnerabilities affecting rustfs rustfs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
rustfs / rustfs
< 1.0.0-beta.2