What is the severity of CVE-2026-22782?

CVE-2026-22782 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-22782?

No known public exploits are currently available for CVE-2026-22782.

Is there a patch available for CVE-2026-22782?

Yes, patches are available for CVE-2026-22782. Check the vendor advisories for update instructions.

CVE-2026-22782 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-22782?

### Summary Invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. ### Details In [`crates/ecstore/src/rpc/http_auth.rs:115-122`](https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122) , the invalid signature branch logs sensitive data: ```rs if signature != expected_signature { error!( "verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}", secret, url, method, timestamp, signature, expected_signature ); return Err(std::io::Error::other("Invalid signature")); } ``` This log line includes `secret` and `expected_signature`, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. ### PoC 1. Run RustFS with error logging enabled. 1. Send a request with an invalid signature: ``` ts=$(date +%s) curl -v \ -H "x-rustfs-timestamp: $ts" \ -H "x-rustfs-signature: invalid-signature" \ "http://localhost:9000/rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1" ``` 1. Observed output: ``` HTTP 403 AccessDenied: Invalid signature verify_rpc_signature: Invalid signature: secret rustfsadmin, url /rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1, method GET, timestamp 1767852115, signature invalid-signature, expected_signature oisNxNRTb80GXf97s/PGdScJzu8QB9Oxs+uOwf8RiK8= ``` ### Impact - Exposes the shared RPC HMAC secret to log readers. - Enables attackers with log access to forge valid RPC signatures and make unauthorized RPC calls.

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls.

Details

In crates/ecstore/src/rpc/http_auth.rs:115-122 , the invalid signature branch logs sensitive data:

if signature != expected_signature {
    error!(
        "verify_rpc_signature: Invalid signature: secret {}, url {}, method {}, timestamp {}, signature {}, expected_signature {}",
        secret, url, method, timestamp, signature, expected_signature
    );

    return Err(std::io::Error::other("Invalid signature"));
}

This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers.

PoC

Run RustFS with error logging enabled.

Send a request with an invalid signature:

 ts=$(date +%s)
 curl -v \
   -H "x-rustfs-timestamp: $ts" \
   -H "x-rustfs-signature: invalid-signature" \
   "http://localhost:9000/rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1"

Observed output:

 HTTP 403 AccessDenied: Invalid signature
 verify_rpc_signature: Invalid signature: secret rustfsadmin, url /rustfs/rpc/read_file_stream?disk=foo&volume=bar&path=baz&offset=0&length=1, method GET, timestamp 1767852115, signature invalid-signature, expected_signature oisNxNRTb80GXf97s/PGdScJzu8QB9Oxs+uOwf8RiK8=

Impact

Exposes the shared RPC HMAC secret to log readers.
Enables attackers with log access to forge valid RPC signatures and make unauthorized RPC calls.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com