CVE-2026-22042

EUVD-2026-1472

08.01.2026, 15:15

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Affected Products (NVD)

Vendor	Product	Version
rustfs	rustfs	1.0.0:alpha1
rustfs	rustfs	1.0.0:alpha10
rustfs	rustfs	1.0.0:alpha11
rustfs	rustfs	1.0.0:alpha12
rustfs	rustfs	1.0.0:alpha13
rustfs	rustfs	1.0.0:alpha14
rustfs	rustfs	1.0.0:alpha15
rustfs	rustfs	1.0.0:alpha16
rustfs	rustfs	1.0.0:alpha17
rustfs	rustfs	1.0.0:alpha18
rustfs	rustfs	1.0.0:alpha19
rustfs	rustfs	1.0.0:alpha2
rustfs	rustfs	1.0.0:alpha20
rustfs	rustfs	1.0.0:alpha21
rustfs	rustfs	1.0.0:alpha22
rustfs	rustfs	1.0.0:alpha23
rustfs	rustfs	1.0.0:alpha24
rustfs	rustfs	1.0.0:alpha25
rustfs	rustfs	1.0.0:alpha26
rustfs	rustfs	1.0.0:alpha27
rustfs	rustfs	1.0.0:alpha28
rustfs	rustfs	1.0.0:alpha29
rustfs	rustfs	1.0.0:alpha3
rustfs	rustfs	1.0.0:alpha30
rustfs	rustfs	1.0.0:alpha31
rustfs	rustfs	1.0.0:alpha32
rustfs	rustfs	1.0.0:alpha33
rustfs	rustfs	1.0.0:alpha34
rustfs	rustfs	1.0.0:alpha35
rustfs	rustfs	1.0.0:alpha36
rustfs	rustfs	1.0.0:alpha37
rustfs	rustfs	1.0.0:alpha38
rustfs	rustfs	1.0.0:alpha39
rustfs	rustfs	1.0.0:alpha4
rustfs	rustfs	1.0.0:alpha40
rustfs	rustfs	1.0.0:alpha41
rustfs	rustfs	1.0.0:alpha42
rustfs	rustfs	1.0.0:alpha43
rustfs	rustfs	1.0.0:alpha44
rustfs	rustfs	1.0.0:alpha45
rustfs	rustfs	1.0.0:alpha46
rustfs	rustfs	1.0.0:alpha47
rustfs	rustfs	1.0.0:alpha48
rustfs	rustfs	1.0.0:alpha49
rustfs	rustfs	1.0.0:alpha5
rustfs	rustfs	1.0.0:alpha50
rustfs	rustfs	1.0.0:alpha51
rustfs	rustfs	1.0.0:alpha52
rustfs	rustfs	1.0.0:alpha53
rustfs	rustfs	1.0.0:alpha54
rustfs	rustfs	1.0.0:alpha55
rustfs	rustfs	1.0.0:alpha56
rustfs	rustfs	1.0.0:alpha57
rustfs	rustfs	1.0.0:alpha58
rustfs	rustfs	1.0.0:alpha59
rustfs	rustfs	1.0.0:alpha6
rustfs	rustfs	1.0.0:alpha60
rustfs	rustfs	1.0.0:alpha61
rustfs	rustfs	1.0.0:alpha62
rustfs	rustfs	1.0.0:alpha63
rustfs	rustfs	1.0.0:alpha64
rustfs	rustfs	1.0.0:alpha65
rustfs	rustfs	1.0.0:alpha66
rustfs	rustfs	1.0.0:alpha67
rustfs	rustfs	1.0.0:alpha68
rustfs	rustfs	1.0.0:alpha69
rustfs	rustfs	1.0.0:alpha7
rustfs	rustfs	1.0.0:alpha70
rustfs	rustfs	1.0.0:alpha71
rustfs	rustfs	1.0.0:alpha72
rustfs	rustfs	1.0.0:alpha73
rustfs	rustfs	1.0.0:alpha74
rustfs	rustfs	1.0.0:alpha75
rustfs	rustfs	1.0.0:alpha76
rustfs	rustfs	1.0.0:alpha77
rustfs	rustfs	1.0.0:alpha78
rustfs	rustfs	1.0.0:alpha8
rustfs	rustfs	1.0.0:alpha9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc