Executive Summary

CVE-2026-45043 is a vulnerability in RustFS, a distributed object storage system. It arises from improper validation in the PUT /rustfs/admin/v3/import-iam endpoint. This endpoint allows a user with the ImportIAMAction privilege to create service accounts under any parent identity, including highly privileged ones like the root user (minioadmin).

The vulnerability exists because the endpoint accepts attacker-controlled values for parent, claims, accessKey, and secretKey without enforcing privilege boundaries or sanitization. This lack of validation enables an attacker to escalate their privileges to full administrative access by creating persistent backdoor service accounts with attacker-defined credentials.

Unlike other service account creation flows that have protections, this ImportIam path does not validate critical fields or sanitize inputs, allowing attackers to assign privileged identities or policies, resulting in full control over buckets, IAM configuration, and administrative operations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker with limited privileges to escalate to full administrative access within RustFS.

• Creation of persistent backdoor service accounts with full administrative privileges.
• Complete control over storage buckets and IAM configurations.
• Ability to perform any administrative operations, potentially compromising the confidentiality and integrity of stored data.
• The attack requires low privileges, no user interaction, and is easily exploitable over the network, increasing the risk of compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and inspecting requests to the PUT /rustfs/admin/v3/import-iam endpoint for suspicious activity. Specifically, look for requests that create service accounts with unusual or unauthorized parent identities, such as the root user (minioadmin), or that include attacker-controlled values for parent, claims, accessKey, and secretKey.

Commands to detect exploitation attempts might include network traffic inspection tools or logs analysis to identify PUT requests to the vulnerable endpoint. For example, using tools like tcpdump or Wireshark to filter HTTP PUT requests to /rustfs/admin/v3/import-iam, or searching server logs for such requests.

• Use tcpdump to capture relevant traffic: tcpdump -i <interface> 'tcp port 80 or tcp port 443' and filter for PUT requests to /rustfs/admin/v3/import-iam.
• Search server access logs for PUT requests to /rustfs/admin/v3/import-iam containing suspicious parent or claims values.
• Audit IAM service accounts for unexpected or unauthorized accounts, especially those with administrative privileges.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-beta.2 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the PUT /rustfs/admin/v3/import-iam endpoint to trusted users only, and monitor for any unauthorized attempts to create service accounts.

Additionally, audit existing service accounts for any unauthorized or suspicious accounts created via this vulnerability and revoke or rotate credentials as necessary.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to escalate privileges to full administrative access by creating backdoor service accounts with persistent credentials. This can lead to unauthorized access and control over sensitive data and administrative operations.

Such unauthorized access and privilege escalation can compromise the confidentiality and integrity of data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential data breaches, lack of proper access controls, and failure to protect sensitive information.

Useful 0 Not Useful 0