CVE-2026-22042

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22042

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22042.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22042

Aliases

GHSA-vcwh-pff9-64cc

Published

2026-01-08T14:58:10.785Z

Modified

2026-03-14T12:47:10.668349Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

Details

RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22042.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/rustfs/rustfs

Affected ranges

Type

GIT

Repo

https://github.com/rustfs/rustfs

Events

Introduced

Fixed

a95e549430851f3c34ee4cc8dd7be60aa200e8c4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.0-alpha.79"
        }
    ]
}

Affected versions

1.*

1.0.0-alpha.1

1.0.0-alpha.10

1.0.0-alpha.11

1.0.0-alpha.12

1.0.0-alpha.13

1.0.0-alpha.14

1.0.0-alpha.15

1.0.0-alpha.16

1.0.0-alpha.17

1.0.0-alpha.18

1.0.0-alpha.19

1.0.0-alpha.2

1.0.0-alpha.20

1.0.0-alpha.21

1.0.0-alpha.22

1.0.0-alpha.23

1.0.0-alpha.24

1.0.0-alpha.25

1.0.0-alpha.26

1.0.0-alpha.27

1.0.0-alpha.28

1.0.0-alpha.29

1.0.0-alpha.3

1.0.0-alpha.30

1.0.0-alpha.31

1.0.0-alpha.32

1.0.0-alpha.33

1.0.0-alpha.34

1.0.0-alpha.35

1.0.0-alpha.36

1.0.0-alpha.37

1.0.0-alpha.38

1.0.0-alpha.39

1.0.0-alpha.4

1.0.0-alpha.40

1.0.0-alpha.41

1.0.0-alpha.42

1.0.0-alpha.43

1.0.0-alpha.44

1.0.0-alpha.45

1.0.0-alpha.46

1.0.0-alpha.47

1.0.0-alpha.48

1.0.0-alpha.49

1.0.0-alpha.5

1.0.0-alpha.50

1.0.0-alpha.51

1.0.0-alpha.52

1.0.0-alpha.53

1.0.0-alpha.54

1.0.0-alpha.55

1.0.0-alpha.56

1.0.0-alpha.57

1.0.0-alpha.58

1.0.0-alpha.59

1.0.0-alpha.6

1.0.0-alpha.60

1.0.0-alpha.61

1.0.0-alpha.62

1.0.0-alpha.63

1.0.0-alpha.64

1.0.0-alpha.65

1.0.0-alpha.66

1.0.0-alpha.67

1.0.0-alpha.68

1.0.0-alpha.69

1.0.0-alpha.7

1.0.0-alpha.70

1.0.0-alpha.71

1.0.0-alpha.72

1.0.0-alpha.73

1.0.0-alpha.74

1.0.0-alpha.75

1.0.0-alpha.76

1.0.0-alpha.77

1.0.0-alpha.78

1.0.0-alpha.8

1.0.0-alpha.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22042.json"