CVE-2026-22042
Published: 08 January 2026
Summary
CVE-2026-22042 is a high-severity Improper Authorization (CWE-285) vulnerability in Rustfs Rustfs. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the authorization flaw in the ImportIam API through patching to version 1.0.0-alpha.79, directly preventing exploitation.
Mandates enforcement of correct access authorizations for privileged IAM operations, countering the incorrect validation using ExportIAMAction instead of ImportIAMAction.
Limits principals to least privilege, reducing privilege escalation risk from export-only permissions being misused for import operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in ImportIam API directly enables unauthorized IAM modifications (user/group/policy/service account creation) and privilege escalation.
NVD Description
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data…
more
performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.
Deeper analysisAI
CVE-2026-22042 affects RustFS, a distributed object storage system built in Rust, specifically versions prior to 1.0.0-alpha.79. The vulnerability resides in the `ImportIam` admin API, which incorrectly validates permissions using `ExportIAMAction` instead of `ImportIAMAction`. This misconfiguration (related to CWE-285: Improper Authorization and CWE-863: Incorrect Authorization) enables principals with only export IAM permissions to execute import operations. Importing IAM data involves privileged write actions, such as creating or updating users, groups, policies, and service accounts, resulting in unauthorized IAM modifications and potential privilege escalation. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
An attacker with low-privilege access, specifically a principal possessing export-only IAM permissions, can exploit this over the network with low complexity and no user interaction required. By calling the `ImportIam` API, the attacker bypasses intended authorization checks and performs import operations, achieving high-impact confidentiality, integrity, and availability effects through IAM takeover. This leads to full privilege escalation, allowing the creation or modification of high-privilege entities within the RustFS environment.
The GitHub Security Advisory (GHSA-vcwh-pff9-64cc) confirms that upgrading to RustFS version 1.0.0-alpha.79 resolves the issue by correcting the permission validation in the `ImportIam` API. Security practitioners should prioritize patching affected deployments and review IAM configurations for overly permissive export roles.
Details
- CWE(s)