CVE-2026-45043
RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.
| CWE | CWE-269 CWE-284 |
| Vendor | rustfs |
| Product | rustfs |
| Published | May 29, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for rustfs rustfs
Be the first to know when new unknown vulnerabilities affecting rustfs rustfs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
rustfs / rustfs
< 1.0.0-beta.2