A vulnerability has been discovered in the project RustFS, which focuses on developing S3-compatible distributed object storage using the Rust language. The vulnerability, identified as CVE-2025-68926, resembles a backdoor and is rated as Critical (9.8 out of 10). The issue stems from a hardcoded access token present in the code, allowing individuals to connect to the network service through the gRPC protocol by specifying the value “rustfs rpc” in the “authorization” header. This token was found in both the server and client code.
If exploited, an attacker with access to the gRPC network port could leverage the hardcoded token to carry out privileged storage operations such as deleting data, manipulating user credentials, and altering cluster settings. By default, RustFS listens for gRPC requests on TCP port 9000 across all network interfaces. The vulnerability has been addressed in the latest release, RustFS 1.0.0-alpha.77. More information about the vulnerability can be found in the security advisory on the RustFS GitHub repository.