PT-2026-44825 · Rustfs · Rustfs

Mr-In4Inci3Le

Published

2026-05-29

Updated

2026-06-02

CVE-2026-45043

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.2

Description Improper validation in the 'PUT /rustfs/admin/v3/import-iam' endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access through the use of a persistent, attacker-defined credential.

Recommendations Update to version 1.0.0-beta.2. As a temporary workaround, restrict access to the 'PUT /rustfs/admin/v3/import-iam' endpoint or limit the assignment of ImportIAMAction permissions.

Exploit

Fix

LPE

Improper Privilege Management

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-284

Related Identifiers

CVE-2026-45043

Affected Products

Rustfs

PT-2026-44825 · Rustfs · Rustfs

CVE-2026-45043

Weakness Enumeration

Related Identifiers

Affected Products

References · 5