CVE-2026-22043
📋 TL;DR
A privilege escalation vulnerability in RustFS IAM allows restricted service accounts or STS credentials to self-issue unrestricted service accounts with full parent privileges. This bypasses session and inline policy restrictions, affecting all deployments running vulnerable RustFS versions.
💻 Affected Systems
- RustFS
📦 What is this software?
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
Rustfs by Rustfs
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the RustFS deployment where an attacker gains full administrative control over the entire object storage system, potentially accessing, modifying, or deleting all stored data.
Likely Case
Unauthorized privilege escalation allowing attackers to bypass intended access controls and perform actions beyond their authorized permissions, potentially leading to data exposure or system manipulation.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and monitoring are in place, though the vulnerability still presents a significant security risk.
🎯 Exploit Status
Exploitation requires some level of initial access (restricted service account or STS credential), but the privilege escalation mechanism appears straightforward based on the advisory description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0-alpha.79
Vendor Advisory: https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9
Restart Required: Yes
Instructions:
1. Stop RustFS service. 2. Update RustFS to version 1.0.0-alpha.79 or later. 3. Restart RustFS service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict IAM operations
allTemporarily restrict IAM-related API calls to only trusted administrative accounts while awaiting patch deployment.
# Configure IAM policy to deny service account creation/modification for non-admin users
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RustFS from other critical systems
- Enhance monitoring of IAM operations and service account creation activities
🔍 How to Verify
Check if Vulnerable:
Check RustFS version: if between 1.0.0-alpha.13 and 1.0.0-alpha.78 inclusive, the system is vulnerable.Check Version:
rustfs --versionVerify Fix Applied:
Confirm RustFS version is 1.0.0-alpha.79 or later and test that restricted service accounts cannot create unrestricted accounts.📡 Detection & Monitoring
Log Indicators:
- Unexpected service account creation events
- IAM policy bypass attempts
- Privilege escalation patterns in authentication logs
Network Indicators:
- Unusual IAM API call patterns from non-admin accounts
- Spike in service account creation requests
SIEM Query:
source="rustfs" AND (event_type="service_account_create" OR event_type="iam_policy_change") AND user_type!="admin"