CVE-2026-22043

RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.

INFO

Published Date :

2026-01-08T15:03:59.313Z

Last Modified :

2026-01-08T15:54:47.243Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-22043 vulnerability.

Vendors	Products
Rustfs	Rustfs

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22043.

URL	Resource
https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability