CVE-2026-45043 - Vulnerability Details

- RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.

Published: 2026-05-29

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the PUT /rustfs/admin/v3/import-iam endpoint allows a user holding the ImportIAMAction privilege to create service accounts under any parent identity, including the root user (minioadmin). The endpoint accepts attacker‑controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This defect permits an attacker to create a persistent, attacker‑defined credential with full administrative rights, effectively giving the attacker complete control over the RustFS cluster. The weakness maps to CWE‑269 (Improper Authentication) and CWE‑284 (Improper Access Control).

Affected Systems

The vulnerability affects the RustFS distributed object storage system released by rustfs:rustfs. Versions earlier than 1.0.0‑beta.2 are susceptible. The affected system is any deployment exposing the RustFS API with an account that has the ImportIAMAction capability.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity for this privilege escalation flaw. No EPSS score is publicly available at this time, and the vulnerability is not listed in the CISA KEV catalog, but the impact is significant. Exploitation requires network access to the vulnerable API endpoint and an authenticated user with ImportIAMAction rights. Once the backdoor account is created, the attacker can fully compromise the cluster, making timely mitigation critical.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rustfs

affected

Version	Status	Constraints
`< 1.0.0-beta.2`	affected	—

No data.

Vendor Product Confidence Versions

Rustfs

100%

Version	Status	Scheme	Platform
`[0,1.0.0-beta.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade RustFS to version 1.0.0‑beta.2 or later to apply the vendor fix.
Restrict the ImportIAMAction permission to a minimal set of trusted administrative accounts and revoke it from general service accounts.
Configure firewall or network policies to restrict direct access to the /rustfs/admin/v3/import-iam endpoint, allowing only trusted IP ranges or internal management networks.

Generated by OpenCVE AI on May 29, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8

History

Fri, 29 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rustfs Rustfs rustfs
Vendors & Products		Rustfs Rustfs rustfs

Fri, 29 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.
Title		RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root
Weaknesses		CWE-269 CWE-284
References		https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

Rustfs Rustfs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T12:25:08.665Z

Updated: 2026-05-29T12:25:08.665Z

Reserved: 2026-05-08T18:07:27.341Z

Link: CVE-2026-45043

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-29T13:16:22.630

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-45043

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T14:00:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object