Back to search
CVE-2026-22043
Published: Jan 8, 2026
Modified: Jan 8, 2026
PUBLISHED
Description
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.
| Vendor | Product | Versions |
|---|---|---|
rustfs | rustfs | affected >= 1.0.0-alpha.13, < 1.0.0-alpha.79 |
References
https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now