CVE-2026-22042

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.79

Description RustFS is a distributed object storage system built in Rust. The ImportIam API endpoint incorrectly validates permissions using ExportIAMAction instead of ImportIAMAction. This allows a principal with only export IAM permissions to perform import operations. Importing IAM data involves privileged write actions, including the creation or modification of users, groups, policies, and service accounts, potentially leading to unauthorized IAM modification and privilege escalation.

Recommendations Update to version 1.0.0-alpha.79 or later.