CVE-2026-22043
Published: 08 January 2026
Summary
CVE-2026-22043 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Rustfs Rustfs. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation by patching RustFS to version 1.0.0-alpha.79 or later, directly eliminating the vulnerable deny_only short-circuit in IAM.
Mandates strict enforcement of approved access control policies by systems, countering the flawed IAM logic that permits restricted accounts to issue unrestricted credentials.
Limits privileges to the minimum necessary for service accounts and parents, reducing the impact of escalation even if the IAM bypass occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IAM flaw directly enables remote privilege escalation (T1068) by allowing creation of an unrestricted cloud/service account (T1136.003) from a restricted credential.
NVD Description
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full…
more
privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.
Deeper analysisAI
CVE-2026-22043 affects RustFS, a distributed object storage system built in Rust, specifically versions 1.0.0-alpha.13 through 1.0.0-alpha.78. The vulnerability stems from a flawed `deny_only` short-circuit in the RustFS IAM (Identity and Access Management) component, which permits a restricted service account or STS (Security Token Service) credential to self-issue an unrestricted service account. This results in the new credential inheriting the parent's full privileges, enabling privilege escalation and the bypass of session or inline policy restrictions. The issue is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 269 (Improper Privilege Management), 284 (Improper Access Control), and 522 (Insufficiently Protected Credentials).
Attackers with access to any restricted service account or valid STS credential can exploit this vulnerability remotely over the network with low complexity and no special privileges or user interaction required. By leveraging the flawed short-circuit, they can generate a new unrestricted service account that inherits the full privileges of the parent account, achieving complete privilege escalation. This grants high-impact unauthorized access to confidentiality, integrity, and availability across the RustFS deployment, potentially allowing full system compromise depending on the parent's permissions.
The GitHub Security Advisory (GHSA-xgr5-qc6w-vcg9) confirms that RustFS version 1.0.0-alpha.79 addresses the issue by fixing the `deny_only` short-circuit logic in the IAM component. Security practitioners should upgrade to this version or later and review IAM policies for restricted accounts to mitigate exposure, as no workarounds are detailed in available references.
Details
- CWE(s)