Platform
rust
Component
rustfs
Opgelost in
1.0.1
1.0.0-alpha.79
CVE-2026-22043 describes a Privilege Escalation vulnerability within RustFS's IAM system. This flaw allows a restricted service account or STS credential to bypass policy restrictions and self-issue an unrestricted service account, effectively inheriting the parent's full privileges. The vulnerability impacts versions of RustFS prior to 1.0.0-alpha.79 and is addressed with an upgrade to the fixed version.
The impact of CVE-2026-22043 is significant, enabling privilege escalation within RustFS environments. An attacker exploiting this vulnerability can bypass session and inline policy restrictions by creating a new service account with elevated privileges. This allows them to perform actions they would otherwise be unauthorized to do, potentially leading to data breaches, system compromise, and disruption of services. The vulnerability shares similarities with MinIO CVE-2025-62506, suggesting a common underlying issue in policy evaluation logic. The blast radius extends to any service or application relying on RustFS for access control.
CVE-2026-22043 was publicly disclosed on January 8, 2026. The vulnerability's similarity to MinIO CVE-2025-62506 suggests a potential for similar exploitation techniques. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that a POC will be developed. The vulnerability has not yet been added to the CISA KEV catalog, and there are no confirmed reports of active exploitation at this time.
Organizations heavily reliant on RustFS for data storage and access control are at risk. This includes those using RustFS in multi-tenant environments or with complex IAM policies. Legacy configurations with overly permissive service account policies are particularly vulnerable.
• rust: Examine RustFS logs for unusual service account creation patterns or privilege escalation attempts. Look for requests that bypass policy checks.
# Example: Filter RustFS logs for service account creation events
zgrep 'service_account_created' /var/log/rustfs/audit.log• generic web: Monitor RustFS API endpoints for suspicious requests related to IAM operations.
# Example: Use curl to check for unauthorized access attempts
curl -v https://rustfs.example.com/iam/create_service_account -H "Authorization: Bearer <restricted_token>"disclosure
Exploit Status
EPSS
0.02% (6% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-22043 is to upgrade RustFS to version 1.0.0-alpha.79 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Review and restrict the permissions granted to service accounts, particularly those with the ability to create new accounts. Implement stricter auditing and monitoring of service account creation and privilege escalation attempts. While a WAF or proxy cannot directly address this IAM vulnerability, they can help detect and block suspicious activity related to privilege escalation. After upgrading, confirm the fix by attempting to create a new service account with a restricted policy and verifying that the account inherits only the intended permissions.
Actualice RustFS a la versión 1.0.0-alpha.79 o superior. Esta versión corrige la vulnerabilidad de escalada de privilegios en el sistema IAM. La actualización evitará que cuentas de servicio restringidas puedan emitir cuentas sin restricciones.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-22043 is a vulnerability in RustFS that allows a restricted service account to escalate privileges by self-issuing an unrestricted account, bypassing policy restrictions.
You are affected if you are using RustFS versions prior to 1.0.0-alpha.79 and have not implemented mitigating controls.
Upgrade RustFS to version 1.0.0-alpha.79 or later. If immediate upgrade is not possible, review and restrict service account permissions.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official RustFS security advisory for detailed information and updates: [https://rustfs.example.com/security/advisories/CVE-2026-22043](https://rustfs.example.com/security/advisories/CVE-2026-22043)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Cargo.lock-bestand en we vertellen je direct of je getroffen bent.