CVE-2026-22042
Unknown Unknown - Not Provided
Improper IAM Permission Validation in RustFS Enables Privilege Escalation

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22042
EUVD
EUVD-2026-1472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rustfs rustfs to 1.0.0-alpha.79 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in RustFS involves incorrect authorization in the ImportIam admin API. Specifically, the ImportIam operation validates permissions using ExportIAMAction instead of the correct ImportIAMAction. This mistake allows a principal with only export permissions to perform import operations, which include privileged write actions like creating or updating users, groups, policies, and service accounts. As a result, unauthorized IAM modifications and privilege escalation can occur. [1]

Impact Analysis

This vulnerability can lead to unauthorized changes in the IAM system of RustFS, such as creating or modifying users, groups, policies, and service accounts without proper authorization. This can result in privilege escalation, allowing attackers to gain higher-level access and control over the system, potentially compromising the security and integrity of the storage environment. [1]

Detection Guidance

This vulnerability can be detected by attempting to perform an Import IAM operation using credentials that only have ExportIAM permissions. Specifically, you can test if the ImportIam admin API incorrectly authorizes import actions with export-only credentials. A proof of concept involves preparing a valid IAM import ZIP archive (e.g., containing a new administrative policy and a user or service account bound to that policy) and sending it to the Import IAM endpoint authenticated with export-only credentials. If the import succeeds, the system is vulnerable. Commands would involve using HTTP tools (like curl) or RustFS client commands to send the import request with export-only credentials and observe if the import is accepted. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.79 or later, where the issue is fixed by correctly validating ImportIam permissions using ImportIAMAction instead of ExportIAMAction. Until the upgrade can be applied, restrict export-only IAM credentials from accessing the ImportIam admin API to prevent unauthorized import operations. [1]

Compliance Impact

The provided resources do not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart