RustFS, a Rust‑based distributed object storage system, has a bug in the ImportIam administrative API that incorrectly validates permissions by checking for ExportIAMAction instead of ImportIAMAction. Because ImportIam performs privileged write operations—creating or updating users, groups, policies, and service accounts—an attacker who has only export‑only IAM permissions can perform an import operation. This allows unauthorized modification of IAM configuration and results in privilege escalation. The flaw is an example of improper authorization (CWE‑285) compounded with a use of a wrong action constant (CWE‑863).

All RustFS releases prior to version 1.0.0‑alpha.79 are impacted. The affected versions include the extensive list of alpha releases from alpha1 through alpha78 referenced by the CPE strings, representing the RustFS product from the rustfs vendor. Any deployment of these pre‑79 alpha releases that exposes the ImportIam API and grants export‑only IAM permissions to a principal is vulnerable.

The CVSS score of 5.7 indicates moderate severity, but the EPSS score of less than 1% shows a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate to a RustFS instance and possess export‑only IAM rights, then invoke the ImportIam endpoint; no special network permissions are required beyond those needed to access the API. Because the attack requires valid credentials and specific IAM permissions, the risk to an organization depends on how those export‑only permissions are delegated, but the capability to create or modify IAM entities represents a significant privilege escalation end state.