Moderate severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026
RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation
CVE-2026-22042
Description
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rustfscrates.io | < 1.0.0-alpha.79 | 1.0.0-alpha.79 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vcwh-pff9-64ccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22042ghsaADVISORY
- github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64ccghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.