CVE-2026-22042
📋 TL;DR
This vulnerability in RustFS allows a principal with export-only IAM permissions to perform import operations, leading to unauthorized creation or modification of users, groups, policies, and service accounts. It affects RustFS versions prior to 1.0.0-alpha.79, potentially enabling privilege escalation in distributed object storage systems.
💻 Affected Systems
- RustFS
📦 What is this software?
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
⚠️ Risk & Real-World Impact
Worst Case
An attacker with export-only permissions could escalate privileges to full administrative control, compromising the entire IAM system and enabling data theft, service disruption, or further attacks.
Likely Case
Unauthorized users gain elevated IAM permissions, allowing them to modify access controls, create new privileged accounts, or alter existing policies to bypass security measures.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated administrative interfaces, reducing the risk of widespread compromise.
🎯 Exploit Status
Exploitation requires access to the admin API with export-only permissions; no authentication bypass is needed, making it straightforward for authorized users to misuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0-alpha.79
Vendor Advisory: https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc
Restart Required: Yes
Instructions:
1. Update RustFS to version 1.0.0-alpha.79 or later. 2. Restart the RustFS service to apply the patch. 3. Verify the fix by checking the version and testing IAM import permissions.
🔧 Temporary Workarounds
Restrict Admin API Access
allLimit network access to the RustFS admin API to trusted IPs or internal networks only.
Use firewall rules (e.g., iptables or cloud security groups) to block external access to the admin API port.
Disable Export-Only Permissions
allTemporarily remove or restrict IAM export permissions for all users until patched.
Review and modify IAM policies to revoke export permissions using RustFS admin tools.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the RustFS admin API from untrusted networks.
- Enforce least privilege by auditing and minimizing IAM permissions, especially export capabilities, to reduce attack surface.
🔍 How to Verify
Check if Vulnerable:
Check the RustFS version; if it is earlier than 1.0.0-alpha.79, the system is vulnerable. Also, review IAM permissions to see if export-only users can access import functions.Check Version:
rustfs --version or check the service logs for version information.Verify Fix Applied:
After updating to 1.0.0-alpha.79 or later, test that users with export-only permissions cannot perform import operations via the admin API.📡 Detection & Monitoring
Log Indicators:
- Log entries showing IAM import actions by users with only export permissions, or unexpected changes to IAM policies, users, or groups.
Network Indicators:
- Unusual API calls to the admin import endpoint from non-administrative sources.
SIEM Query:
Example: 'source="rustfs_logs" AND action="import_iam" AND user_permissions="export_only"'