CVE-2026-22043
Privilege Escalation in RustFS IAM via Policy Bypass
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | From 1.0.0-alpha.13 (inc) to 1.0.0-alpha.78 (inc) |
| rustfs | rustfs | 1.0.0-alpha.79 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in RustFS arises from a flawed implementation of the `deny_only` short-circuit logic in its IAM policy evaluation. Specifically, when `deny_only` is true and no explicit Deny is found, the system incorrectly allows access by bypassing all Allow checks. This flaw occurs during service account creation, allowing a restricted service account or STS credential to create a new unrestricted service account that inherits the full privileges of the parent, including root-level access. This enables privilege escalation and bypass of session or inline policy restrictions. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows privilege escalation and unauthorized access to all S3, Admin, and KMS operations by enabling restricted service accounts to create unrestricted accounts with full privileges, including root access. Such unauthorized access and privilege escalation can lead to breaches of confidentiality and integrity of sensitive data, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information. [1]
How can this vulnerability impact me? :
This vulnerability allows any holder of a restricted service account or STS credential to mint an unrestricted service account with full parent-level privileges, including root access. This compromises the confidentiality and integrity of the system by enabling unauthorized access to all S3, Admin, and KMS operations, effectively allowing privilege escalation and bypassing policy restrictions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by attempting to reproduce the privilege escalation exploit as demonstrated in the proof-of-concept (PoC). This involves using tools such as awscli, awscurl, and jq against a local RustFS instance to test if a restricted service account can create an unrestricted child service account and access resources beyond its policy. The PoC steps include cleaning up test accounts and buckets, creating buckets and seeding objects, defining restricted IAM policies, creating restricted service accounts, and then attempting to create child service accounts without policies to verify unauthorized access. Specific commands would involve awscli or awscurl commands to create service accounts, list buckets, and access objects as shown in the PoC. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.79 or later, where the vulnerability has been fixed. This version corrects the flawed deny_only short-circuit logic in the IAM policy evaluation, preventing restricted service accounts from self-issuing unrestricted service accounts and thereby stopping privilege escalation. [1]