PT-2026-6484 · Crates.Io · Rustfs

Published

2026-01-08

·

Updated

2026-01-08

CVSS v4.0

5.6

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation.

Details

In ImportIam, the authorization check is implemented as follows:
rust
validate admin request(
  &req.headers,
  &cred,
  owner,
  false,
  vec![Action::AdminAction(AdminAction::ExportIAMAction)],
).await?;
However, this code resides in the Import IAM operation (struct ImportIam {}), which performs state-changing IAM writes.
The expected behavior is to validate against AdminAction::ImportIAMAction (or an equivalent import-specific admin action), not ExportIAMAction.

PoC

Prerequisites
  1. A RustFS deployment with IAM enabled.
  2. An IAM user or role that has Export IAM permission but does not have Import IAM or full admin permissions.
  3. Access credentials for that user.
Steps
  1. Create or obtain an IAM principal with permission equivalent to:
AdminAction::ExportIAMAction
and without Import IAM privileges.
  1. Prepare a valid IAM import ZIP archive containing, for example:
  • A new policy granting administrative permissions
  • A user or service account bound to that policy
  1. Send a request to the Import IAM endpoint (the same endpoint handled by ImportIam::call), authenticating with the export-only credentials.
  2. Observe that:
  • The request passes authorization.
  • IAM entities from the archive are created or modified successfully.
Expected Result
  • The request should be rejected with an authorization error (e.g., AccessDenied).
Actual Result
  • The request succeeds, and IAM state is modified.

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

GHSA-VCWH-PFF9-64CC

Affected Products

Rustfs