Cyber Posture

CVE-2026-45039

Critical
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 28 May 2026

Published
28 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score N/A
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-45039 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

IA-1 Policy and Procedures
addresses: CWE-798 CWE-1392

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

IA-5 Authenticator Management
addresses: CWE-798 CWE-1392

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

PM-30 Supply Chain Risk Management Strategy
addresses: CWE-798 CWE-1392

Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.

SA-4 Acquisition Process
addresses: CWE-798 CWE-1392

Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.

SA-5 System Documentation
addresses: CWE-798 CWE-1392

Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.

AC-9 Previous Logon Notification
addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

AT-3 Role-based Training
addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

CM-1 Policy and Procedures
addresses: CWE-1392

Mandates replacement of default credentials during secure configuration and provisioning procedures.

NVD Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to…

more

the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-798CWE-1392
OWASP Top 10 Web 2025
A07:2025

EU & UK References

Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)

EU Cyber Resilience Act — coordinated disclosure

Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.

References