Platform
rust
Component
rustfs
Fixed in
1.0.1
1.0.0-alpha.79
CVE-2026-22043 describes a Privilege Escalation vulnerability within RustFS's IAM system. This flaw allows a restricted service account or STS credential to bypass policy restrictions and self-issue an unrestricted service account, effectively inheriting the parent's full privileges. The vulnerability impacts versions of RustFS prior to 1.0.0-alpha.79 and is addressed with an upgrade to the fixed version.
The impact of CVE-2026-22043 is significant, enabling privilege escalation within RustFS environments. An attacker exploiting this vulnerability can bypass session and inline policy restrictions by creating a new service account with elevated privileges. This allows them to perform actions they would otherwise be unauthorized to do, potentially leading to data breaches, system compromise, and disruption of services. The vulnerability shares similarities with MinIO CVE-2025-62506, suggesting a common underlying issue in policy evaluation logic. The blast radius extends to any service or application relying on RustFS for access control.
CVE-2026-22043 was publicly disclosed on January 8, 2026. The vulnerability's similarity to MinIO CVE-2025-62506 suggests a potential for similar exploitation techniques. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that a POC will be developed. The vulnerability has not yet been added to the CISA KEV catalog, and there are no confirmed reports of active exploitation at this time.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation for CVE-2026-22043 is to upgrade RustFS to version 1.0.0-alpha.79 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Review and restrict the permissions granted to service accounts, particularly those with the ability to create new accounts. Implement stricter auditing and monitoring of service account creation and privilege escalation attempts. While a WAF or proxy cannot directly address this IAM vulnerability, they can help detect and block suspicious activity related to privilege escalation. After upgrading, confirm the fix by attempting to create a new service account with a restricted policy and verifying that the account inherits only the intended permissions.
Update RustFS to version 1.0.0-alpha.79 or higher. This version fixes the privilege escalation vulnerability in the IAM system. The update will prevent restricted service accounts from issuing unrestricted accounts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22043 is a vulnerability in RustFS that allows a restricted service account to escalate privileges by self-issuing an unrestricted account, bypassing policy restrictions.
You are affected if you are using RustFS versions prior to 1.0.0-alpha.79 and have not implemented mitigating controls.
Upgrade RustFS to version 1.0.0-alpha.79 or later. If immediate upgrade is not possible, review and restrict service account permissions.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official RustFS security advisory for detailed information and updates: [https://rustfs.example.com/security/advisories/CVE-2026-22043](https://rustfs.example.com/security/advisories/CVE-2026-22043)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.