FKIE_CVE-2026-22043
Vulnerability from fkie_nvd - Published: 2026-01-08 15:15 - Updated: 2026-01-15 21:13
Severity ?
Summary
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9 | Exploit, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9 | Exploit, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*",
"matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*",
"matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*",
"matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*",
"matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*",
"matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*",
"matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*",
"matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*",
"matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*",
"matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*",
"matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*",
"matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*",
"matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*",
"matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*",
"matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha27:*:*:*:rust:*:*",
"matchCriteriaId": "C2D66076-4005-4F58-A8E2-69062053D786",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha28:*:*:*:rust:*:*",
"matchCriteriaId": "1D8CB0F5-299F-4BB0-B264-F5642DD991C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha29:*:*:*:rust:*:*",
"matchCriteriaId": "96E20418-FE0C-4202-8771-FFF8EBB1B62D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha30:*:*:*:rust:*:*",
"matchCriteriaId": "810A17F9-AEEA-4396-B437-120789BBE882",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha31:*:*:*:rust:*:*",
"matchCriteriaId": "7B1FECD4-E993-417D-AEA7-F8E97DC6A5FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha32:*:*:*:rust:*:*",
"matchCriteriaId": "3839F299-E0E7-4994-A8AC-B67A534C9847",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha33:*:*:*:rust:*:*",
"matchCriteriaId": "46CAEA4E-5DFD-4668-ABF0-DC53EB04EE7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha34:*:*:*:rust:*:*",
"matchCriteriaId": "591075AB-81EF-4D42-A2A0-FA28BC6B78CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha35:*:*:*:rust:*:*",
"matchCriteriaId": "FD46ED07-6DCC-4BF8-A4E8-78B2FF6DCE4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha36:*:*:*:rust:*:*",
"matchCriteriaId": "6DF15533-D6E1-49B0-B30A-6FEECC7AE06C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha37:*:*:*:rust:*:*",
"matchCriteriaId": "EC68F03A-D299-4BFB-A99E-4B08E4E0848F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha38:*:*:*:rust:*:*",
"matchCriteriaId": "0DD60024-CAB2-4DA6-A9CA-503D2631E98B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha39:*:*:*:rust:*:*",
"matchCriteriaId": "32470ED0-7873-41A3-B2D5-7CD444ED0A45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha40:*:*:*:rust:*:*",
"matchCriteriaId": "E2EFC74D-40E7-426C-9F7B-3B654F2B940F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha41:*:*:*:rust:*:*",
"matchCriteriaId": "EAAF504E-51A5-492B-887E-BB67788B899C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha42:*:*:*:rust:*:*",
"matchCriteriaId": "35C83244-D2C7-4D70-9C0B-D0590B00C608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha43:*:*:*:rust:*:*",
"matchCriteriaId": "429E4ECD-997A-4D3B-9DE2-60835AE14473",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha44:*:*:*:rust:*:*",
"matchCriteriaId": "5DDDBAA5-D207-498C-A6F0-79F07806C511",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha45:*:*:*:rust:*:*",
"matchCriteriaId": "81758B85-6D2B-4914-96EC-E4CCDE2F9A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha46:*:*:*:rust:*:*",
"matchCriteriaId": "D439B484-E32D-4A6A-84EE-9307A028F736",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha47:*:*:*:rust:*:*",
"matchCriteriaId": "FDA137F7-DC8A-44F4-8061-F502AC8DD7BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha48:*:*:*:rust:*:*",
"matchCriteriaId": "AE3EF7B3-E8C0-4844-9165-3A26EB426615",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha49:*:*:*:rust:*:*",
"matchCriteriaId": "EB40D926-AE20-46A7-9B6E-ED1BADB9A08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha50:*:*:*:rust:*:*",
"matchCriteriaId": "3A43A950-59A6-4343-815A-953C11DC3F13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha51:*:*:*:rust:*:*",
"matchCriteriaId": "87B36190-C30B-45BC-9738-BE0B3321025D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha52:*:*:*:rust:*:*",
"matchCriteriaId": "86A2967C-E2C6-4C73-9BDE-CCECACDB2B02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha53:*:*:*:rust:*:*",
"matchCriteriaId": "5E10A654-E265-4469-8099-ABBB1F5D8BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha54:*:*:*:rust:*:*",
"matchCriteriaId": "762591A8-A0A2-45D2-B15F-1E85DFC5CA86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha55:*:*:*:rust:*:*",
"matchCriteriaId": "53DE196C-1914-40AE-854D-4988073D57C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*",
"matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*",
"matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*",
"matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*",
"matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*",
"matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*",
"matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*",
"matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*",
"matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*",
"matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*",
"matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*",
"matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*",
"matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*",
"matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*",
"matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*",
"matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*",
"matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*",
"matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*",
"matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*",
"matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*",
"matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*",
"matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*",
"matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*",
"matchCriteriaId": "96461CC0-012C-40D7-B1CB-FF9A6B7EB644",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent\u2019s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue."
},
{
"lang": "es",
"value": "RustFS es un sistema de almacenamiento de objetos distribuido construido en Rust. En las versiones 1.0.0-alpha.13 a 1.0.0-alpha.78, un cortocircuito defectuoso de \u0027deny_only\u0027 en el IAM de RustFS permite que una cuenta de servicio restringida o una credencial STS autoemita una cuenta de servicio sin restricciones, heredando los privilegios completos del padre. Esto permite la escalada de privilegios y la elusi\u00f3n de las restricciones de pol\u00edticas de sesi\u00f3n/en l\u00ednea. La versi\u00f3n 1.0.0-alpha.79 corrige el problema."
}
],
"id": "CVE-2026-22043",
"lastModified": "2026-01-15T21:13:08.733",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-08T15:15:45.583",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…