Back to CVE List

CVE-2026-45043

Vulnerability Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-269
Source
NVD
Vendor
rustfs
Product
rustfs

External References

Discussion (0)

Add Comment

No comments yet. Be the first!