GHSA-VCWH-PFF9-64CC RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

Summary The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions creating/updating users, groups, policies, and...

RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

Summary The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions creating/updating users, groups, policies, and...

CVE-2026-22042

CVE-2026-22042 / RustFS : Prior to 1.0.0-alpha.79, the ImportIam admin API validates permissions with ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Importing IAM data can create or modify users, groups, policies, an...

PT-2026-2143

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.79 Description RustFS is a distributed object storage system built in Rust. The ImportIam API endpoint incorrectly validates permissions using ExportIAMAction instead of ImportIAMAction. This allows a...