ByteOS Network

CVE Vulnerability Details :

CVE-2026-45043

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-29 May, 2026 | 12:25

Updated At-29 May, 2026 | 12:25

▼CVE Numbering Authority (CNA)

RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.

Affected Products

Vendor

rustfs

Product

rustfs

Versions

Affected

< 1.0.0-beta.2

Problem Types

Type	CWE ID	Description
CWE	CWE-269	CWE-269: Improper Privilege Management
CWE	CWE-284	CWE-284: Improper Access Control

Type: CWE

CWE ID: CWE-269

Description: CWE-269: Improper Privilege Management

Type: CWE

CWE ID: CWE-284

Description: CWE-284: Improper Access Control

Metrics

Version	Base score	Base severity	Vector
4.0	9.3	CRITICAL	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Version: 4.0

Base score: 9.3

Base severity: CRITICAL

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References

Hyperlink	Resource
https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8	x_refsource_CONFIRM

Hyperlink: https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8

Resource:

x_refsource_CONFIRM

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References