CVE-2026-22042 Overview
CVE-2026-22042 is an authorization bypass vulnerability in RustFS, a distributed object storage system built in Rust. The vulnerability exists in the ImportIam admin API, which incorrectly validates permissions using ExportIAMAction instead of the appropriate ImportIAMAction. This flaw allows a principal with export-only IAM permissions to perform unauthorized import operations, potentially leading to IAM modification and privilege escalation.
Critical Impact
Attackers with limited export-only IAM permissions can perform privileged write operations including creating and updating users, groups, policies, and service accounts, leading to unauthorized privilege escalation within the RustFS environment.
Affected Products
- RustFS versions prior to 1.0.0-alpha.79
Discovery Timeline
- 2026-01-08 - CVE-2026-22042 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22042
Vulnerability Analysis
This vulnerability is classified as CWE-285 (Improper Authorization), where the application fails to properly verify that a user has been authorized to access a resource or perform an action. In the context of RustFS, the ImportIam admin API endpoint performs permission validation against the wrong action constant—using ExportIAMAction when it should use ImportIAMAction.
The practical impact is significant because importing IAM data performs privileged write actions. When a malicious actor with only export permissions calls the ImportIam API, the system incorrectly validates their authorization and permits the operation. This allows them to create new users, modify existing groups, update security policies, and provision service accounts—all actions that should require elevated import permissions.
Root Cause
The root cause is a logic error in the permission validation code path of the ImportIam admin API handler. Instead of checking whether the requesting principal has ImportIAMAction privileges, the code mistakenly validates against ExportIAMAction. This appears to be either a copy-paste error during development or an oversight when implementing the import functionality by reusing export-related code without updating the permission constant.
Attack Vector
The attack vector is network-based and requires low privileges to exploit. An attacker who has legitimate but limited access to the RustFS system—specifically export-only IAM permissions—can leverage this vulnerability to escalate their privileges. The attack flow involves:
- The attacker authenticates to RustFS with valid credentials that have export-only IAM permissions
- The attacker crafts a request to the ImportIam admin API endpoint with malicious IAM configuration data
- RustFS incorrectly validates the request against ExportIAMAction instead of ImportIAMAction
- Since the attacker has export permissions, the validation passes
- The import operation executes, allowing the attacker to create new privileged users or modify existing policies
The vulnerability requires no user interaction and can be exploited remotely over the network. For technical details on the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-22042
Indicators of Compromise
- Unexpected IAM changes including new users, groups, or policies created by accounts with only export permissions
- Audit log entries showing ImportIam API calls from principals that lack explicit import privileges
- Unusual privilege escalation patterns where low-privilege service accounts gain administrative capabilities
Detection Strategies
- Monitor API access logs for calls to the ImportIam endpoint and correlate with the caller's assigned permissions
- Implement anomaly detection for IAM configuration changes that originate from accounts without import authorization
- Review audit trails for discrepancies between granted permissions and executed administrative actions
Monitoring Recommendations
- Enable comprehensive logging for all IAM-related admin API operations in RustFS
- Set up alerts for any IAM modifications performed outside of expected change windows or by non-administrative accounts
- Regularly audit the mapping between user permissions and their actual API usage patterns
How to Mitigate CVE-2026-22042
Immediate Actions Required
- Upgrade RustFS to version 1.0.0-alpha.79 or later immediately
- Audit all IAM configurations for unauthorized changes that may have occurred prior to patching
- Review and restrict export-only IAM permissions to only trusted principals until the patch is applied
- Temporarily disable or restrict access to the ImportIam admin API endpoint if immediate patching is not feasible
Patch Information
The vulnerability has been fixed in RustFS version 1.0.0-alpha.79. The patch corrects the permission validation logic in the ImportIam admin API to properly check for ImportIAMAction authorization instead of ExportIAMAction. Organizations should upgrade to this version or later to remediate the vulnerability. For additional details, see the GitHub Security Advisory.
Workarounds
- Implement network-level access controls to restrict which hosts can reach the RustFS admin API endpoints
- Revoke export-only IAM permissions from untrusted or unnecessary principals until the patch can be deployed
- Deploy API gateway rules or reverse proxy configurations to block or require additional authentication for ImportIam API calls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
