External risk intelligence

RustFS Privilege Escalation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-45043

A vulnerability in RustFS, a distributed object storage system, allows a user with specific privileges to escalate their access to full administrative control. This could impact organizations by enabling unauthorized access to and manipulation of stored data. The realistic business risk involves potential data breaches

4Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2026-45043

The vulnerability exists in an administrative endpoint of a distributed object storage system. Such systems are commonly deployed as network-accessible services, and administrative APIs, while often restricted, are frequently exposed in management interfaces or gateways to support distributed operations and cloud-native service management.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within RustFS, a distributed object storage system. An improper validation flaw in an administrative endpoint allows an authenticated user to escalate their privileges. This could lead to unauthorized creation of service accounts, ultimately granting full administrative access to the system.

  • Vulnerable administrative endpoint
  • Improper validation allows privilege escalation
  • Full administrative access to the system

Attack Path

How an attacker could exploit the issue

An attacker with ImportIAMAction privileges can exploit a vulnerability in the PUT /rustfs/admin/v3/import-iam endpoint. This endpoint improperly validates parent identities, allowing the creation of service accounts under arbitrary parent identities, including the root user. By providing attacker-controlled values for parent, claims, accessKey, and secretKey, an attacker can gain full administrative access through a persistent, attacker-defined credential.

  • Requires ImportIAMAction privilege.
  • Attacker creates service accounts under root.
  • Results in administrative access.

Live Threat

Current exploitation, exposure, and threat context

The RustFS distributed object storage system has a vulnerability in an administrative endpoint that could allow a user with specific privileges to create service accounts under arbitrary parent identities, including the root user. This could lead to privilege escalation and full administrative access. The vulnerability is addressed in newer versions of the software.

  • Likely attacker skill level: Low
  • Required access or conditions: User with ImportIAMAction
  • Business risk or urgency: High impact, treat as urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This situation involves a critical vulnerability in a distributed object storage system that allows for privilege escalation to full administrative access. An attacker with the ImportIAMAction could create service accounts under arbitrary parent identities, effectively gaining administrative control. The vulnerability is addressed in a later version of the software.

  • Identify exposed assets using the affected system.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, and monitor.

Frequently asked questions

What is RustFS and what is it used for?

RustFS is a distributed object storage system built using the Rust programming language. It is designed for storing and managing large amounts of data across multiple servers, often used in cloud environments or for large-scale data management.

What kind of weakness does CVE-2026-45043 represent?

CVE-2026-45043 is an improper validation vulnerability (CWE-284) that also enables improper privilege management (CWE-269). This means the system didn't correctly check the inputs it received, allowing a user to gain more permissions than they should have.

How can an attacker trigger the vulnerability in RustFS?

An attacker needs to have the 'ImportIAMAction' privilege and interact with the PUT /rustfs/admin/v3/import-iam endpoint. The vulnerability is triggered when the system accepts attacker-controlled values for parent identities, claims, access keys, and secret keys without proper checks.

Who should be concerned about this RustFS vulnerability?

Organizations using RustFS should be concerned, especially if it is exposed to the internet. Systems like distributed object storage are frequently configured as network-accessible services, making this a potentially significant risk for external-facing infrastructure.

What is the first step to address the RustFS vulnerability?

The first step is to identify all instances of the affected RustFS technology within your environment. Once identified, consider reducing their exposure or isolating them to mitigate immediate risk while planning for the vendor's fix.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified