Security Flaw in RustFS Distributed Object Storage by Rust
CVE-2026-22042

5.7MEDIUM

Key Information:

Vendor: Rustfs
Status: Rustfs
Vendor: CVE Published:; 8 January 2026

What is CVE-2026-22042?

RustFS, a distributed object storage system, contains a vulnerability that arises from the incorrect validation of permissions within its ImportIam admin API. This flaw allows users with export-only IAM permissions to exploit the system and perform unauthorized import operations. Such actions could enable the creation and modification of crucial IAM-related entities, leading to elevated privileges and potential security breaches. The issue has been addressed in version 1.0.0-alpha.79 with a patch to ensure proper permission checks.

Affected Version(s)

rustfs < 1.0.0-alpha.79

References

https://github.com/rustfs/rustfs/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 8, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-22042 Data

JSON

Rustfs

What is CVE-2026-22042?

Affected Version(s)

References

CVSS V4

Timeline