CVE-2026-22043

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.78

Description RustFS is a distributed object storage system built in Rust. A flaw in the deny only short-circuit within RustFS IAM allows a restricted service account or STS credential to create an unrestricted service account, gaining the parent’s full privileges. This enables privilege escalation and bypasses session or inline policy restrictions. The vulnerable component is the RustFS IAM system, specifically the deny only short-circuit logic.

Recommendations Versions prior to 1.0.0-alpha.79 are affected and should be updated to version 1.0.0-alpha.79 or later.

Exploit

Fix

LPE

Insufficiently Protected Credentials

Improper Privilege Management

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-269CWE-284

Related Identifiers

CVE-2026-22043

GHSA-XGR5-QC6W-VCG9

Affected Products

Rustfs

CVE-2026-22043

Weakness Enumeration

Related Identifiers

Affected Products

References · 8