CVE-2026-22043 Overview
CVE-2026-22043 is a privilege escalation vulnerability in RustFS, a distributed object storage system built in Rust. The flaw exists in the Identity and Access Management (IAM) subsystem where a flawed deny_only short-circuit logic allows restricted service accounts or Security Token Service (STS) credentials to self-issue unrestricted service accounts. This bypasses session and inline policy restrictions, enabling the new account to inherit the parent's full privileges.
Critical Impact
Restricted service accounts can escalate privileges to obtain full parent account permissions, completely bypassing IAM policy restrictions designed to limit access.
Affected Products
- RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.78
Discovery Timeline
- 2026-01-08 - CVE CVE-2026-22043 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-22043
Vulnerability Analysis
This vulnerability (CWE-269: Improper Privilege Management) stems from a logical flaw in the RustFS IAM policy evaluation engine. When processing service account creation requests, the system implements a deny_only check designed to prevent privilege escalation. However, a short-circuit condition in this logic fails to properly validate whether the requesting credential has sufficient privileges to create new service accounts with elevated permissions.
The attack allows an authenticated user with limited STS credentials or a restricted service account to create a new service account that inherits the full privilege set of the parent account, rather than being constrained by the session policies or inline policies applied to the originating credential. This breaks the fundamental principle of least privilege that IAM systems are designed to enforce.
Root Cause
The root cause lies in the improper implementation of the deny_only authorization check within the IAM subsystem. When evaluating whether a service account creation request should be permitted, the short-circuit logic prematurely returns a success condition without fully evaluating the policy restrictions that should apply. This allows the request to proceed even when the requesting credential's policies explicitly deny the ability to create unrestricted accounts.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to the RustFS system. An attacker with a restricted service account or STS temporary credentials can exploit this vulnerability by issuing API calls to create new service accounts. Due to the flawed deny_only check, these newly created accounts bypass the policy restrictions that should be inherited from or applied to the requesting credential.
The vulnerability enables privilege escalation by allowing attackers to effectively "break out" of their constrained permission set. Once an unrestricted service account is created, the attacker gains access equivalent to the parent account's full privileges, potentially including administrative capabilities over the object storage system.
Detection Methods for CVE-2026-22043
Indicators of Compromise
- Unexpected creation of new service accounts by restricted or temporary credentials
- Service accounts with elevated privileges created by accounts that should have limited IAM permissions
- Audit log entries showing service account creation bypassing expected policy denials
- STS credentials being used to issue long-lived service accounts with broader permissions
Detection Strategies
- Monitor IAM audit logs for service account creation events, particularly those initiated by STS credentials or known restricted accounts
- Implement alerting on any privilege escalation patterns where child accounts have broader permissions than their creators
- Review service account hierarchies to identify accounts that should not exist based on parent credential restrictions
- Deploy anomaly detection for IAM operations that deviate from expected least-privilege patterns
Monitoring Recommendations
- Enable comprehensive logging for all IAM and credential management operations in RustFS
- Set up real-time alerts for service account creation events, especially outside of normal provisioning workflows
- Regularly audit the permission sets of all service accounts to identify those with unexpected elevated privileges
- Monitor API access patterns for signs of privilege escalation attempts
How to Mitigate CVE-2026-22043
Immediate Actions Required
- Upgrade RustFS to version 1.0.0-alpha.79 or later immediately
- Audit all existing service accounts created between the deployment of vulnerable versions and the patch
- Revoke and regenerate any service accounts that may have been created through this exploitation vector
- Review IAM policies to ensure restricted accounts cannot create new credentials until the patch is applied
Patch Information
The vulnerability is fixed in RustFS version 1.0.0-alpha.79. Organizations should upgrade to this version or later to remediate the vulnerability. The fix addresses the flawed deny_only short-circuit logic to properly enforce policy restrictions during service account creation.
For detailed information about the fix, see the GitHub Security Advisory.
Workarounds
- Restrict network access to the RustFS IAM API endpoints using firewall rules or network segmentation
- Implement additional authentication requirements for service account creation operations at the network or application layer
- Deploy API gateway policies to block service account creation requests from STS credentials until the patch can be applied
- Monitor and manually review all service account creation requests as an interim measure
# Example: Restrict IAM API access at the network level
# Block service account creation endpoint from non-admin networks
iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
