Home

Description

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.

PUBLISHED Reserved 2026-01-05 | Published 2026-01-08 | Updated 2026-01-08 | Assigner GitHub_M




MEDIUM: 5.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-285: Improper Authorization

CWE-863: Incorrect Authorization

Product status

< 1.0.0-alpha.79
affected

References

github.com/...rustfs/security/advisories/GHSA-vcwh-pff9-64cc exploit

github.com/...rustfs/security/advisories/GHSA-vcwh-pff9-64cc

cve.org (CVE-2026-22042)

nvd.nist.gov (CVE-2026-22042)

Download JSON