CVE-2026-22042

CVE-2026-22042 is a medium-severity security vulnerability in rustfs (rust), affecting versions < 1.0.0-alpha.79. It is fixed in 1.0.0-alpha.79.

Summary

The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation.

Details

In ImportIam, the authorization check is implemented as follows:

validate_admin_request(
    &req.headers,
    &cred,
    owner,
    false,
    vec![Action::AdminAction(AdminAction::ExportIAMAction)],
).await?;

However, this code resides in the Import IAM operation (struct ImportIam {}), which performs state-changing IAM writes.

The expected behavior is to validate against AdminAction::ImportIAMAction (or an equivalent import-specific admin action), not ExportIAMAction.

PoC

Prerequisites

  1. A RustFS deployment with IAM enabled.
  2. An IAM user or role that has Export IAM permission but does not have Import IAM or full admin permissions.
  3. Access credentials for that user.

Steps

  1. Create or obtain an IAM principal with permission equivalent to:

    AdminAction::ExportIAMAction
    

    and without Import IAM privileges.

  2. Prepare a valid IAM import ZIP archive containing, for example:

    • A new policy granting administrative permissions
    • A user or service account bound to that policy
  3. Send a request to the Import IAM endpoint (the same endpoint handled by ImportIam::call), authenticating with the export-only credentials.

  4. Observe that:

    • The request passes authorization.
    • IAM entities from the archive are created or modified successfully.

Expected Result

  • The request should be rejected with an authorization error (e.g., AccessDenied).

Actual Result

  • The request succeeds, and IAM state is modified.

Impact

Affected versions

rustfs (< 1.0.0-alpha.79)

Security releases

rustfs → 1.0.0-alpha.79 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade rustfs to 1.0.0-alpha.79 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-22042? CVE-2026-22042 is a medium-severity security vulnerability in rustfs (rust), affecting versions < 1.0.0-alpha.79. It is fixed in 1.0.0-alpha.79.
  2. Which versions of rustfs are affected by CVE-2026-22042? rustfs (rust) versions < 1.0.0-alpha.79 is affected.
  3. Is there a fix for CVE-2026-22042? Yes. CVE-2026-22042 is fixed in 1.0.0-alpha.79. Upgrade to this version or later.
  4. Is CVE-2026-22042 exploitable, and should I be worried? Whether CVE-2026-22042 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-22042 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-22042? Upgrade rustfs to 1.0.0-alpha.79 or later.

Other vulnerabilities in rustfs

CVE-2026-40937CVE-2026-27822CVE-2026-27607CVE-2026-24762CVE-2026-21862

Stop the waste.
Protect your environment with Kodem.