5.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22043

CVE-2026-22043: RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed deny_only short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22043

CVE-2026-22043:

5.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rustfs	rust	>= 1.0.0-alpha.13, <= 1.0.0-alpha.78	1.0.0-alpha.79

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a privilege escalation in RustFS's IAM system, rooted in a logical flaw within the policy::policy::Policy::is_allowed function. When this function was invoked with the deny_only flag set to true, it would incorrectly grant permission by returning true without verifying any Allow rules in the associated policy. This flaw was exploitable through various admin operations that set the deny_only flag. The primary exploit path, as demonstrated by the proof-of-concept, involved the creation of a new service account. The rustfs::admin::handlers::service_account::AddServiceAccount::handle function would set deny_only=true when a restricted service account attempted to create a new service account for itself. This action allowed the creation of a new service account without any attached policy, causing it to inherit the full permissions of its parent and thereby escalating privileges.

The security patch addresses this vulnerability through a two-pronged approach. First, it rectifies the logic in policy::policy::Policy::is_allowed to return false when deny_only is true, thereby enforcing the requirement for an explicit Allow rule. Second, it removes the logic that sets deny_only=true in the handle methods of AddServiceAccount, AddUser, and GetUserInfo, ensuring these operations consistently require explicit permissions.

Consequently, the vulnerable functions are Policy::is_allowed due to its flawed authorization logic, and the handle methods of AddServiceAccount, AddUser, and GetUserInfo, which served as vectors to exploit this flaw. During an exploit following the PoC, rustfs::admin::handlers::service_account::AddServiceAccount::handle would be the primary function observed in a runtime profile, which then calls the vulnerable is_allowed function.

Vulnerable functions

policy::policy::Policy::is_allowed

crates/policy/src/policy/policy.rs

The function `is_allowed` contained a logical flaw where it would return `true` if the `deny_only` argument was true, without checking for any `Allow` statements. This allowed bypassing policy checks. The patch corrects this by returning `false` when `deny_only` is true and the user is not the owner, thus enforcing that an explicit `Allow` rule must be matched.

admin::handlers::service_account::AddServiceAccount::handle

rustfs/src/admin/handlers/service_account.rs

This function, which handles the creation of service accounts, would set `deny_only` to `true` when a service account was creating a child account for itself or its parent. This triggered the vulnerability in `Policy::is_allowed`, leading to privilege escalation. The patch removes this logic and hardcodes `deny_only` to `false`.

admin::handlers::user::AddUser::handle

rustfs/src/admin/handlers/user.rs

Similar to `AddServiceAccount`, the function for adding a user also incorrectly used the `deny_only` flag when a user was creating an account for themselves. This was patched preventively to avoid a similar exploit vector by always requiring explicit `Allow` permissions.

admin::handlers::user::GetUserInfo::handle

rustfs/src/admin/handlers/user.rs

The function for retrieving user information also incorrectly used the `deny_only` flag. It was patched as a preventative measure to ensure consistent security semantics and require explicit permissions for all admin operations.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22043: RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

CVE-2026-22043:

5.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2026-22043: RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.7

5.7

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI