5.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22042

CVE-2026-22042: RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22042

CVE-2026-22042:

5.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rustfs	rust	< 1.0.0-alpha.79	1.0.0-alpha.79

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the ImportIam admin API operation incorrectly checks for ExportIAMAction permission instead of ImportIAMAction. This allows a user with lower-privileged export permissions to perform highly-privileged import actions, such as creating or modifying users, groups, and policies, leading to privilege escalation. The analysis of the patch confirms this directly. By comparing the vulnerable version 1.0.0-alpha.78 with the patched version 1.0.0-alpha.79, I identified the fixing commit b95bee64b2fb55e88c0c0a2205d6be9e143c202f. The patch in the file rustfs/src/admin/handlers/user.rs clearly shows the change from AdminAction::ExportIAMAction to AdminAction::ImportIAMAction within the ImportIam::call function. This function is the entry point for the vulnerable API call and is the precise location of the flawed authorization check.

Vulnerable functions

ImportIam::call

rustfs/src/admin/handlers/user.rs

The function `ImportIam::call` in `rustfs/src/admin/handlers/user.rs` uses an incorrect authorization check. It validates the request against `ExportIAMAction` instead of `ImportIAMAction`, allowing a user with only export permissions to perform privileged import operations, leading to potential privilege escalation.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22042: RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

CVE-2026-22042:

5.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.7

5.7

CVE-2026-22042: RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI