CVE-2026-22043

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22043

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22043.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22043

Aliases

GHSA-xgr5-qc6w-vcg9

Published

2026-01-08T15:03:59.313Z

Modified

2026-03-14T12:47:11.071086Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

Details

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed deny_only short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269",
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22043.json"
}

References

Affected packages

Git / github.com/rustfs/rustfs

Affected ranges

Type: GIT
Repo: https://github.com/rustfs/rustfs
Events: Introduced

b97845fffdae24affedc2e95153da7bf75049a95

Fixed

a95e549430851f3c34ee4cc8dd7be60aa200e8c4

Affected versions

1.*

1.0.0-alpha.13

1.0.0-alpha.14

1.0.0-alpha.15

1.0.0-alpha.16

1.0.0-alpha.17

1.0.0-alpha.18

1.0.0-alpha.19

1.0.0-alpha.20

1.0.0-alpha.21

1.0.0-alpha.22

1.0.0-alpha.23

1.0.0-alpha.24

1.0.0-alpha.25

1.0.0-alpha.26

1.0.0-alpha.27

1.0.0-alpha.28

1.0.0-alpha.29

1.0.0-alpha.30

1.0.0-alpha.31

1.0.0-alpha.32

1.0.0-alpha.33

1.0.0-alpha.34

1.0.0-alpha.35

1.0.0-alpha.36

1.0.0-alpha.37

1.0.0-alpha.38

1.0.0-alpha.39

1.0.0-alpha.40

1.0.0-alpha.41

1.0.0-alpha.42

1.0.0-alpha.43

1.0.0-alpha.44

1.0.0-alpha.45

1.0.0-alpha.46

1.0.0-alpha.47

1.0.0-alpha.48

1.0.0-alpha.49

1.0.0-alpha.50

1.0.0-alpha.51

1.0.0-alpha.52

1.0.0-alpha.53

1.0.0-alpha.54

1.0.0-alpha.55

1.0.0-alpha.56

1.0.0-alpha.57

1.0.0-alpha.58

1.0.0-alpha.59

1.0.0-alpha.60

1.0.0-alpha.61

1.0.0-alpha.62

1.0.0-alpha.63

1.0.0-alpha.64

1.0.0-alpha.65

1.0.0-alpha.66

1.0.0-alpha.67

1.0.0-alpha.68

1.0.0-alpha.69

1.0.0-alpha.70

1.0.0-alpha.71

1.0.0-alpha.72

1.0.0-alpha.73

1.0.0-alpha.74

1.0.0-alpha.75

1.0.0-alpha.76

1.0.0-alpha.77

1.0.0-alpha.78

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22043.json"