How is CVE-2026-45043 exploited?

Network reachability (required): The attacker must reach the RustFS admin API over the network (AV:N). Authentication (required): A low-privilege account holding the ImportIAMAction permission is sufficient (PR:L); no admin credentials are needed. Victim interaction (not-required): No user has to click, approve, or open anything (UI:N); the attacker drives the request directly. Attack complexity (info): The exploit is reliable and condition-free (AC:L), requiring only a crafted JSON body to the import-iam endpoint.

What is the impact of CVE-2026-45043?

Creates a persistent service account under the root user (minioadmin) with attacker-chosen accessKey and secretKey, granting full administrative control of the RustFS cluster. Reads any object stored in the system, including credentials, backups, and customer data held in the buckets. Writes, overwrites, or deletes stored objects and modifies IAM policies, enabling tampering with downstream applications that trust the bucket contents. Establishes a backdoor credential that survives password rotation of the legitimate root account, since the attacker controls a separate service-account secret.

Back to search

CRITICALCVE-2026-45043Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45043: RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authorization flaw in RustFS, a distributed object storage system written in Rust. The vulnerable PUT /rustfs/admin/v3/import-iam endpoint is reachable over the network and only requires an account with the ImportIAMAction permission; it fails to enforce privilege boundaries on the parent identity, accessKey, or secretKey fields supplied in the request. A successful attacker creates a persistent service account under the root user (minioadmin) with attacker-chosen credentials, yielding full administrative control over the object store. A patched-image rebuild at 1.0.0-beta.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The advisory is ingested from upstream feeds within minutes of publication and matched against RustFS images in customer registries and CI pipelines, including custom-built images that embed RustFS as a component.

Available

Triage

Triage is available with the CVSS v4 score of 9.3 (Critical) carried through and reweighted by each customer's compliance policy, so internet-exposed object storage workloads can be elevated above internal ones. Findings are routed to the right inbox inside each customer org based on image ownership and workload tags.

Available

Patch

Patched-image rebuilds at RustFS 1.0.0-beta.2 are available on HarborGuard for affected environments. For customers who opt into auto-remediation, the rebuild is produced, a regression test run is executed against it, and a pull request is opened against the workloads that consume the affected image.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the RustFS admin API over the network (AV:N).
AuthenticationRequired
A low-privilege account holding the ImportIAMAction permission is sufficient (PR:L); no admin credentials are needed.
Victim interactionNot required
No user has to click, approve, or open anything (UI:N); the attacker drives the request directly.
Attack complexityDetail
The exploit is reliable and condition-free (AC:L), requiring only a crafted JSON body to the import-iam endpoint.

Blast Radius

Creates a persistent service account under the root user (minioadmin) with attacker-chosen accessKey and secretKey, granting full administrative control of the RustFS cluster.
Reads any object stored in the system, including credentials, backups, and customer data held in the buckets.
Writes, overwrites, or deletes stored objects and modifies IAM policies, enabling tampering with downstream applications that trust the bucket contents.
Establishes a backdoor credential that survives password rotation of the legitimate root account, since the attacker controls a separate service-account secret.

How HarborGuard Handles This

Available on HarborGuard: rebuilt RustFS images at 1.0.0-beta.2 are produced as soon as the advisory is ingested, and for environments with auto-remediation enabled the rebuild is regression-tested and a patch PR is opened against the workloads that pull the affected image. Median time from CVE publication to merged patch PR for critical-severity issues like this is around 90 minutes in auto-remediation environments. Where compliance policy blocks automated merges, the rebuild is staged in the registry and the finding is routed to the workload owner with the upgrade target pinned to 1.0.0-beta.2; compensating controls worth considering in the interim include restricting network exposure of the admin API to a management VLAN and auditing existing IAM principals for unexpected ImportIAMAction grants.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

rustfs / rustfs
< 1.0.0-beta.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References

https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8