What is CVE-2026-22042?

### Summary The `ImportIam` admin API validates permissions using **`ExportIAMAction`** instead of **`ImportIAMAction`**, allowing a principal with *export-only* IAM permissions to perform *import* operations. Since importing IAM data performs privileged **write** actions (creating/updating users, groups, policies, and service accounts), this can lead to **unauthorized IAM modification and privilege escalation**. --- ### Details In `ImportIam`, the authorization check is implemented as follows: ```rust validate_admin_request( &req.headers, &cred, owner, false, vec![Action::AdminAction(AdminAction::ExportIAMAction)], ).await?; ``` However, this code resides in the **Import IAM** operation (`struct ImportIam {}`), which performs **state-changing IAM writes**. The expected behavior is to validate against **`AdminAction::ImportIAMAction`** (or an equivalent import-specific admin action), not `ExportIAMAction`. --- ### PoC **Prerequisites** 1. A RustFS deployment with IAM enabled. 2. An IAM user or role that has **Export IAM** permission but **does not** have Import IAM or full admin permissions. 3. Access credentials for that user. **Steps** 1. Create or obtain an IAM principal with permission equivalent to: ``` AdminAction::ExportIAMAction ``` and without Import IAM privileges. 2. Prepare a valid IAM import ZIP archive containing, for example: * A new policy granting administrative permissions * A user or service account bound to that policy 3. Send a request to the Import IAM endpoint (the same endpoint handled by `ImportIam::call`), authenticating with the export-only credentials. 4. Observe that: * The request passes authorization. * IAM entities from the archive are created or modified successfully. **Expected Result** * The request should be rejected with an authorization error (e.g., AccessDenied). **Actual Result** * The request succeeds, and IAM state is modified.

What is the severity of CVE-2026-22042?

CVE-2026-22042 has a CVSS v3 score of 8.8, which is classified as High severity.

Is there an exploit available for CVE-2026-22042?

No known public exploits are currently available for CVE-2026-22042.

Is there a patch available for CVE-2026-22042?

Yes, patches are available for CVE-2026-22042. Check the vendor advisories for update instructions.

CVE-2026-22042 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v38.8

CVSS v20.0

Priority Score587.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

8.8

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation.

Details

In ImportIam, the authorization check is implemented as follows:

validate_admin_request(
    &req.headers,
    &cred,
    owner,
    false,
    vec![Action::AdminAction(AdminAction::ExportIAMAction)],
).await?;

However, this code resides in the Import IAM operation (struct ImportIam {}), which performs state-changing IAM writes.

The expected behavior is to validate against AdminAction::ImportIAMAction (or an equivalent import-specific admin action), not ExportIAMAction.

PoC

Prerequisites

A RustFS deployment with IAM enabled.
An IAM user or role that has Export IAM permission but does not have Import IAM or full admin permissions.
Access credentials for that user.

Steps

Create or obtain an IAM principal with permission equivalent to:
```
AdminAction::ExportIAMAction
```
and without Import IAM privileges.
Prepare a valid IAM import ZIP archive containing, for example:
- A new policy granting administrative permissions
- A user or service account bound to that policy
Send a request to the Import IAM endpoint (the same endpoint handled by ), authenticating with the export-only credentials.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Patch References

Security [email protected]