CVE-2025-68926: RustFS has a gRPC Hardcoded Token Authentication Bypass

December 30, 2025

[PHASE 1] Baseline Testing
✓ Without token: REJECTED (Unauthenticated)
✓ With wrong token: REJECTED (Unauthenticated)

[PHASE 2] Exploit
✓ With hardcoded token "rustfs rpc": ACCEPTED ✅

[PHASE 3] Sensitive API Access
✓ ServerInfo: SUCCESS - Configuration disclosed
✓ DiskInfo: SUCCESS - System information accessible

[RESULT] VULNERABILITY CONFIRMED

References

github.com/advisories/GHSA-h956-rh7x-ppgj
github.com/rustfs/rustfs
github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.77
github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj
nvd.nist.gov/vuln/detail/CVE-2025-68926

Code Behaviors & Features

Detect and mitigate CVE-2025-68926 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →