CVE-2026-45043
Privilege Escalation in RustFS via IAM Import
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | to 1.0.0-beta.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to escalate privileges to full administrative access by creating backdoor service accounts with persistent credentials. This can lead to unauthorized access and control over sensitive data and administrative operations.
Such unauthorized access and privilege escalation can compromise the confidentiality and integrity of data, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential data breaches, lack of proper access controls, and failure to protect sensitive information.
Can you explain this vulnerability to me?
CVE-2026-45043 is a vulnerability in RustFS, a distributed object storage system. It arises from improper validation in the PUT /rustfs/admin/v3/import-iam endpoint. This endpoint allows a user with the ImportIAMAction privilege to create service accounts under any parent identity, including highly privileged ones like the root user (minioadmin).
The vulnerability exists because the endpoint accepts attacker-controlled values for parent, claims, accessKey, and secretKey without enforcing privilege boundaries or sanitization. This lack of validation enables an attacker to escalate their privileges to full administrative access by creating persistent backdoor service accounts with attacker-defined credentials.
Unlike other service account creation flows that have protections, this ImportIam path does not validate critical fields or sanitize inputs, allowing attackers to assign privileged identities or policies, resulting in full control over buckets, IAM configuration, and administrative operations.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker with limited privileges to escalate to full administrative access within RustFS.
- Creation of persistent backdoor service accounts with full administrative privileges.
- Complete control over storage buckets and IAM configurations.
- Ability to perform any administrative operations, potentially compromising the confidentiality and integrity of stored data.
- The attack requires low privileges, no user interaction, and is easily exploitable over the network, increasing the risk of compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting requests to the PUT /rustfs/admin/v3/import-iam endpoint for suspicious activity. Specifically, look for requests that create service accounts with unusual or unauthorized parent identities, such as the root user (minioadmin), or that include attacker-controlled values for parent, claims, accessKey, and secretKey.
Commands to detect exploitation attempts might include network traffic inspection tools or logs analysis to identify PUT requests to the vulnerable endpoint. For example, using tools like tcpdump or Wireshark to filter HTTP PUT requests to /rustfs/admin/v3/import-iam, or searching server logs for such requests.
- Use tcpdump to capture relevant traffic: tcpdump -i <interface> 'tcp port 80 or tcp port 443' and filter for PUT requests to /rustfs/admin/v3/import-iam.
- Search server access logs for PUT requests to /rustfs/admin/v3/import-iam containing suspicious parent or claims values.
- Audit IAM service accounts for unexpected or unauthorized accounts, especially those with administrative privileges.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade RustFS to version 1.0.0-beta.2 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict access to the PUT /rustfs/admin/v3/import-iam endpoint to trusted users only, and monitor for any unauthorized attempts to create service accounts.
Additionally, audit existing service accounts for any unauthorized or suspicious accounts created via this vulnerability and revoke or rotate credentials as necessary.