Imagine hiring a security guard who can only check IDs at the door — then discovering they've been quietly rewriting the entire building's access logs from the inside. That's essentially what a newly disclosed vulnerability in a popular cloud storage system allows.
Who's Affected — and Why It Matters
RustFS is a distributed object storage platform — the kind of software that sits quietly behind the scenes, holding the files, backups, and databases that businesses and developers depend on every day. It's used in self-hosted cloud environments, data pipelines, and enterprise storage infrastructure. The flaw, tracked as CVE-2026-22042, affects every version of RustFS released before version 1.0.0-alpha.79.
If your organization runs RustFS to store sensitive data — customer records, internal documents, application backups — and you haven't updated yet, you should treat this as urgent. The vulnerability scores 8.8 out of 10 (HIGH) on the industry severity scale, meaning security experts consider it close to the worst kind of flaw: easy to exploit, with serious consequences.
What an Attacker Can Actually Do
To understand this bug, picture a company office with two types of employees. One group has "read-only" badges — they can walk through and look at things, but they're not supposed to touch anything or change any settings. The other group has "admin" badges, which let them create new employees, hand out keys, and change who's allowed to go where. This vulnerability essentially lets someone with a read-only badge walk up to the admin terminal and start making changes — because the system never bothered to check which badge they were actually holding.
In technical terms, RustFS has an administrative feature called ImportIam that lets authorized administrators import identity and access management (IAM) data — which means creating or updating user accounts, groups, security policies, and service credentials. This is the master control panel for who gets to do what inside your storage system. The bug is almost embarrassingly simple: the software checks whether the person making the request has permission to export data, when it should be checking whether they have permission to import it. Export is a read-only action. Import rewrites the rules.
An attacker who already has export-only access — perhaps a junior employee, a contractor, or someone who compromised a limited-privilege account — can exploit this to grant themselves or anyone else full administrative control. They could create new admin accounts, delete existing security policies, or quietly slip backdoor service accounts into the system. From there, every file stored in RustFS is potentially within reach. This is called privilege escalation, and it's one of the most dangerous outcomes in any security breach.
The Technical Detail Security Teams Need
For the researchers and engineers in the room: this is a broken access control vulnerability (CWE-863 — Incorrect Authorization) in RustFS's admin API handler. Specifically, the ImportIam API endpoint validates the requesting principal against ExportIAMAction instead of ImportIAMAction. Since both actions exist as distinct permission primitives in the IAM model, any principal granted ExportIAMAction — a read-scoped privilege — silently satisfies the authorization check for a destructive write operation. The mismatch is a single, incorrect action constant in the permission enforcement path, making this trivially exploitable by any authenticated low-privilege user with export rights. CVSS score: 8.8 (HIGH).
Has Anyone Been Attacked Yet?
As of publication, no active exploitation in the wild has been confirmed. The vulnerability was identified and disclosed responsibly through RustFS's development channel, and the maintainers moved quickly — the patch landed in version 1.0.0-alpha.79. There are no known victims or active campaigns targeting this flaw at this time.
That said, "not yet exploited" is not the same as "safe." Now that this CVE is public, it's only a matter of time before threat actors — from opportunistic hackers to more organized groups — scan for unpatched systems. The simplicity of the flaw makes it particularly attractive: no sophisticated tools required, just a low-privilege account and knowledge of the endpoint. Security teams should treat the window between disclosure and patching as extremely narrow.
What To Do Right Now
If you run RustFS in any environment, here are your three immediate action items:
- Update to RustFS version 1.0.0-alpha.79 or later — immediately. This is the only confirmed fix. Navigate to the official RustFS repository, pull the latest release, and redeploy. Don't wait for your next scheduled maintenance window. If you're running any version before 1.0.0-alpha.79, you are vulnerable right now.
- Audit your IAM accounts and permissions before and after patching. Before you update, pull a full export of your current IAM configuration and review every user, group, policy, and service account. Look for anything unfamiliar — an account you don't recognize, a service credential with more access than it should have, or a policy that was recently modified without a corresponding change request. Compare that list after patching to spot any unauthorized changes that may have already occurred.
-
Enforce the principle of least privilege on all service accounts going forward. Conduct a permissions review and revoke any export-level IAM access that isn't strictly necessary for day-to-day operations. Consider temporarily restricting access to the
ImportIamadmin API endpoint entirely via network-level controls (firewall rules or API gateway policies) until you've confirmed all instances are patched and audited.
CVE: CVE-2026-22042 | CVSS: 8.8 (HIGH) | Fixed in: RustFS 1.0.0-alpha.79 | Category: Privilege Escalation / Broken Access Control