CVE-2025-68926— RustFS has a gRPC Hardcoded Token Authentication Bypass

CVSS 9.8 · Critical EPSS 10.61% · P93 Updated Jan 13, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-68926

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

RustFS has a gRPC Hardcoded Token Authentication Bypass

Source: NVD (National Vulnerability Database)

Vulnerability Description

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

使用硬编码的凭证

Source: NVD (National Vulnerability Database)

Vulnerability Title

rustfs 信任管理问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

rustfs是RustFS开源的一个高性能对象存储系统。 rustfs 1.0.0-alpha.77之前版本存在信任管理问题漏洞，该漏洞源于使用硬编码静态令牌进行gRPC身份验证，可能导致数据破坏、策略操纵和集群配置更改等特权操作。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
rustfs	rustfs	< 1.0.0-alpha.78	-

II. Public POCs for CVE-2025-68926

#	POC Description	Source Link	Shenlong Link
1	RustFS before 1.0.0-alpha.77 used a hardcoded gRPC authentication token "rustfs rpc" that could not be changed without recompiling and this allowed unauthenticated remote attackers to gain full administrative access to the gRPC API.	https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2025/CVE-2025-68926.yaml	POC Details
2	CVE-2025-68926 - RustFS Hardcoded gRPC Authentication Token Exploit	https://github.com/Chocapikk/CVE-2025-68926	POC Details
3	CVE-2025-68926 POC	https://github.com/Arcueld/CVE-2025-68926	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-68926

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: rustfs

Same vendor: rustfs

Same weakness: CWE-798

V. Comments for CVE-2025-68926

Anonymous User

2026-01-15 06:08:48

Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-68926— RustFS has a gRPC Hardcoded Token Authentication Bypass

I. Basic Information for CVE-2025-68926

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2025-68926

III. Intelligence Information for CVE-2025-68926

IV. Related Vulnerabilities

V. Comments for CVE-2025-68926

Anonymous User

Leave a comment