Skip to main content

RustFS CVE-2026-45043

| EUVDEUVD-2026-33285 CRITICAL
Improper Privilege Management (CWE-269)
2026-05-29 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 15:30 vuln.today
Patch available
May 29, 2026 - 14:01 EUVD
CVSS changed
May 29, 2026 - 13:22 NVD
9.3 (CRITICAL)
CVE Published
May 29, 2026 - 12:25 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.

AnalysisAI

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportIAMAction abuse the PUT /rustfs/admin/v3/import-iam endpoint to mint service accounts under arbitrary parent identities - including the root minioadmin user - granting full administrative control via attacker-chosen, persistent credentials. CVSS 4.0 scores this 9.3 (Critical) reflecting low attack complexity, low privileges, and high confidentiality/integrity impact with scope change. No public exploit identified at time of analysis, and no EPSS or KEV signal is provided.

Technical ContextAI

RustFS is a Rust-implemented, S3-compatible distributed object storage system whose IAM model mirrors MinIO conventions (root user 'minioadmin', service accounts tied to parent identities, action-based policy grants like ImportIAMAction). The flaw sits in the admin import-IAM REST handler, which deserializes user-supplied JSON fields (parent, claims, accessKey, secretKey) and persists them as a service account without verifying that the requester is authorized to act on behalf of the named parent. This is a textbook CWE-269 (Improper Privilege Management) issue: the boundary check that should ensure a caller can only create accounts under identities they already own is missing, so possession of one narrow IAM permission collapses the entire trust hierarchy. The affected product is identified by CPE cpe:2.3:a:rustfs:rustfs across all versions prior to the fix.

RemediationAI

Vendor-released patch: 1.0.0-beta.2 - upgrade RustFS to 1.0.0-beta.2 or later as the primary fix, per the GHSA-566f-q62r-wcr8 advisory (https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8). If immediate upgrade is not possible, revoke the ImportIAMAction permission from every non-root principal and audit existing IAM policies for grants of that action (trade-off: bulk IAM import workflows will break and must be performed by the root account). Additionally, block external access to the /rustfs/admin/v3/import-iam endpoint at the reverse proxy or network layer and restrict the admin API to a management VLAN or mTLS-protected interface (trade-off: legitimate remote administration tooling will need network-path or certificate updates). After patching, enumerate all service accounts whose parent is minioadmin or another privileged identity, validate provenance, and rotate or delete any unrecognized accessKey/secretKey pairs that may have been planted pre-patch.

More in Rustfs

View all
CVE-2025-68705 CRITICAL POC
9.8 Jan 07

RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o

CVE-2026-22043 CRITICAL POC
9.8 Jan 08

RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c

CVE-2026-27822 CRITICAL POC
9.0 Feb 25

Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob

CVE-2026-22042 HIGH POC
8.8 Jan 08

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis

CVE-2026-22782 HIGH POC
7.5 Jan 16

RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali

CVE-2026-45039 CRITICAL
9.8 May 28

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot

CVE-2026-45044 HIGH
8.8 May 28

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0

CVE-2026-45041 HIGH
8.7 May 28

License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded

CVE-2026-49991 HIGH
8.6 Jun 26

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri

CVE-2026-55188 HIGH
8.2 Jun 26

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef

CVE-2026-27607 HIGH
8.1 Feb 25

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to

CVE-2025-69255 MEDIUM POC
4.0 Jan 07

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Share

CVE-2026-45043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy