Strobes VIStrobes VI
CVE DatabaseThreat ActorsResearchAdvisoryAPI Docs
Visit Strobes.coSign Up for Strobes
CVE DatabaseThreat ActorsResearchAdvisoryAPI Docs
Tools
KB Lookup
Visit Strobes.coSign Up for Strobes
HomeCVEs

Do you like the insights?

Strobes vulnerability intelligence is a key component of their Exposure Management platform that helps organizations understand, prioritize, and address security vulnerabilities more effectively.

© 2026 Strobes Security. All rights reserved.
HomeCVEsCVE-2026-24762

CVE-2026-24762

Published: February 16, 2026
Last updated:1 day ago (February 16, 2026)
Exploit: NoZero-day: NoPatch: NoTrend: Neutral
TL;DR
Updated February 16, 2026

CVE-2026-24762 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.

Key Points
  • 1Low severity (CVSS 0.0/10)
  • 2No known public exploits
  • 3No official patches released yet
Severity Scores
CVSS v30.0
CVSS v20.0
Priority Score0.0
EPSS Score0.0
None
Exploitation LikelihoodMinimal
0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow
0.00%
EPSS
0.0
CVSS
No
Exploit
No
Patch
Medium Priority
no patch

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This vulnerability is classified as an information disclosure issue (CWE-532).

Details

The server writes newly generated STS credential information including the access key, secret key, and session token to logs. The following excerpts from application logs demonstrate this:

[2026-01-17 09:13:23.127767 +11:00] INFO [rustfs::admin::handlers::sts] [rustfs/src/admin/handlers/sts.rs:138] [rustfs-worker:ThreadId(4)] AssumeRole get new_cred Credentials { access_key: "5UGH6TM44IPA81AH1WZE", secret_key: "3BQ-KnO_iB5ovmd5SU4wIK6sFfaPTliftvQ_iNLS", session_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJleHAiOjE3Njg2NDQ4MDMsInBhcmVudCI6InJ1c3Rmc2FkbWluIn0.F9ZhARXyU0cB6QoFMElKK5tns_RFQM9WlpMiGVuuDOpOfNrbEKE_9IK1oaJ_yqDsBlK115uYOcQcGohjgUPhOQ", expiration: Some(2026-01-17 10:13:23.0 +00:00:00), status: "on", parent_user: "rustfsadmin", groups: None, claims: None, name: None, description: None }

By inspecting logs, an attacker or unauthorized internal user with access to logs could retrieve these credentials and use them to authenticate to RustFS services or perform other unauthorized actions.

Impact

  • Information Exposure: Plaintext authentication credentials appear in log files that may be retained, backed up, or forwarded to centralized logging systems.
  • Credential Compromise: Access keys, secret keys, and session tokens may be used by unauthorized individuals to authenticate to RustFS services or hijack sessions.
  • Insider Threat: Even users with limited access who can read logs may gain elevated access if they retrieve credential material.
  • Compliance Risk: Logging sensitive authentication material may violate organizational policies and industry compliance standards (e.g., PCI-DSS, SOC2, ISO 27001) that forbid exposure of authentication secrets in logs

Remediation

  • Do not include secrets in log output — redact secret_key, session_token, and similar fields.
  • Log only safe identifiers such as non-sensitive IDs (e.g., parent_user, trace ID).
CVSS v3 Breakdown
Attack Vector:-
Attack Complexity:-
Privileges Required:-
User Interaction:-
Scope:-
Confidentiality:-
Integrity:-
Availability:-
Trend Analysis
Neutral
Advisories
GitHub AdvisoryNVD
Cite This Page
APA Format
Strobes VI. (2026). CVE-2026-24762 - CVE Details and Analysis. Strobes VI. Retrieved February 17, 2026, from https://vi.strobes.co/cve/CVE-2026-24762
Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.