CVE-2026-22043

high-risk
Published 2026-01-08

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: a95e549430851f3c34ee4cc8dd7be60aa200e8c4
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs
Rustfs

Affected Vendors

Rustfs

References (2)

Exploit https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9
Exploit https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9
59
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 0/34 · Minimal
Exposure 27/34 · High