VYPR
← All advisories
Critical severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45043

CVE-2026-45043

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper validation in RustFS import-iam endpoint allows privilege escalation to root by creating backdoor service accounts.

Vulnerability

The PUT /rustfs/admin/v3/import-iam endpoint in RustFS prior to version 1.0.0-beta.2 lacks proper validation of critical fields when importing service accounts from a ZIP-supplied JSON payload. The handler in rustfs/src/admin/handlers/user.rs directly provisions service accounts using attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user minioadmin [1].

Exploitation

An attacker who possesses the ImportIAMAction privilege can craft a ZIP archive containing a JSON file that defines a service account with parent set to minioadmin, claims including sa-policy: consoleAdmin, and arbitrary accessKey/secretKey values. Uploading this ZIP to the import endpoint provisions the backdoor account without any additional authentication or user interaction [1].

Impact

Successful exploitation grants the attacker a persistent, attacker-defined credential with full administrative privileges (equivalent to the root user). This enables complete control over the distributed object store, including data access, configuration changes, and further privilege escalation [1].

Mitigation

The vulnerability is fixed in RustFS version 1.0.0-beta.2. Users should upgrade to this version or later. No workarounds are documented in the available reference [1].

References
  1. ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Rustfs/Rustfsinferred2 versions
    <1.0.0-beta.2+ 1 more
    • (no CPE)range: <1.0.0-beta.2
    • (no CPE)range: <1.0.0-beta.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing validation of parent, claims, accessKey, and secretKey fields in the ImportIam handler allows creation of service accounts under arbitrary privileged identities."

Attack vector

An attacker who already possesses the `ImportIAMAction` privilege sends a PUT request to `/rustfs/admin/v3/import-iam` with a crafted ZIP file containing a JSON payload. The payload sets `parent` to `minioadmin` (the root user) and `claims.sa-policy` to `consoleAdmin`, along with attacker-chosen `accessKey` and `secretKey` values. The endpoint provisions the service account without enforcing privilege boundaries, granting the attacker full administrative credentials that persist in the IAM state [ref_id=1].

Affected code

The vulnerability resides in the `ImportIam` handler in `rustfs/src/admin/handlers/user.rs`. The handler iterates over service account definitions from a ZIP-supplied JSON payload and calls `iam_store.new_service_account(&req.parent, groups, opts)` without validating the `parent`, `claims`, `accessKey`, or `secretKey` fields. By contrast, the `AddServiceAccount` flow contains a constant-time equality check that prevents creating a service account with the system access key, but no equivalent validation exists in the `ImportIam` path [ref_id=1].

What the fix does

The advisory states the fix is in RustFS 1.0.0-beta.2 but does not include a patch diff. The remediation must add validation to the `ImportIam` handler equivalent to the protections already present in `AddServiceAccount`, such as a constant-time equality check that prevents creating a service account with the system access key, and sanitization of the `parent` and `claims` fields to reject privileged identities like `minioadmin` or policies like `consoleAdmin` [ref_id=1].

Preconditions

  • authThe attacker must hold the ImportIAMAction privilege on the RustFS instance.
  • networkThe attacker must be able to send HTTP PUT requests to the /rustfs/admin/v3/import-iam endpoint.
  • inputThe attacker must supply a crafted ZIP file containing a JSON payload with attacker-controlled parent, claims, accessKey, and secretKey fields.

Reproduction

The advisory includes a full proof-of-concept. Create a JSON file `svcaccts.json` with `parent` set to `minioadmin`, `claims.sa-policy` set to `consoleAdmin`, and attacker-chosen credentials. Package it into a ZIP archive under the `iam-assets/` directory. Send a PUT request with `awscurl` to `http://localhost:9000/rustfs/admin/v3/import-iam` using the sub-admin credentials. The response confirms the backdoor service account was added. The attacker can then use the created credentials to list service accounts and confirm administrative-level access [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.