Critical RustFS Bug Enables Backdoor Admin Account Creation

A critical privilege-escalation vulnerability in RustFS, the open-source Rust-based distributed object storage system, enables attackers with limited IAM permissions to forge persistent backdoor credentials directly tied to the root administrator account, with no patch currently available.

RustFS is an S3-compatible, high-performance distributed object storage system written in Rust, widely positioned as an open-source alternative to MinIO for on-premises and cloud-native environments.

Its IAM (Identity and Access Management) system governs access to buckets, service accounts, and administrative operations across multi-tenant deployments.

Because RustFS manages sensitive data infrastructure in enterprise environments, any flaw in its privilege boundary logic can have severe downstream consequences.

Security researcher Mr-In4inci3le disclosed a critical-severity vulnerability, tracked as CVE-2026-45043 and published in the GitHub Security Advisory GHSA-566f-q62r-wcr8, approximately three weeks ago.

The flaw resides in the PUT /rustfs/admin/v3/import-iam endpoint, the administrative interface used to restore bulk IAM state via ZIP-packaged JSON payloads.

The vulnerability earns a Critical CVSS v4.0 base score, with the full vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N, reflecting network-accessible exploitation, low attack complexity, low privilege requirements, and high impact on both confidentiality and integrity across primary and secondary systems.

The weakness is classified under CWE-269 (Improper Privilege Management) and CWE-284 (Improper Access Control). These two MITRE-defined categories cover failures in which a system fails to properly assign, restrict, or verify privilege boundaries for an actor.

The core issue lies in how the ImportIam handler in rustfs/src/admin/handlers/user.rs processes service account definitions from the ZIP payload. The handler iterates through attacker-supplied entries and calls iam_store.new_service_account(&req.parent, groups, opts) directly without validating any of the critical fields.

Specifically, the vulnerable code path:

Does not validate req.parent — an attacker can set this to minioadmin or any privileged identity
Does not sanitize req.claims — the sa-policy claim can be set to consoleAdmin, granting full console rights
Does not restrict attacker-controlled accessKey / secretKey — enabling permanent, credential-defined backdoor access
Lacks the guard present in AddServiceAccount — which already protects against the use of the system access key via a constant_time_eq check

This asymmetric security posture, in which one code path is hardened and the parallel import path is entirely unguarded, is a classic example of incomplete security control implementation across equivalent privilege-sensitive operations.

An attacker who holds only the ImportIAMAction delegated privilege can weaponize this flaw with the following steps:

Craft a malicious svcaccts.json containing a service account with parent: "minioadmin", a custom accessKey/secretKey pair, and sa-policy: "consoleAdmin" in the claims field
Package it into a ZIP archive (iam-import.zip) and deliver it via an authenticated PUT /rustfs/admin/v3/import-iam request using the sub-admin’s credentials
The endpoint provisions the backdoor account without enforcing privilege checks, returning {"added": {"service_accounts": ["BACKDOOR0000001"]}}
Use the new credentials to authenticate as a full administrator, confirmed by successful execution of privileged admin API calls such as list-service-accounts

This attack requires no user interaction, operates entirely over the network, and produces persistent credentials stored in IAM state that survive restarts, making cleanup non-trivial.

The real-world impact of successful exploitation is severe across all deployment contexts:

Full administrative takeover of the RustFS instance, including bucket management and IAM reconfiguration
Persistent backdoor access that survives credential rotation if the implanted service account goes undetected
Data exfiltration risk from all stored objects across all buckets
Lateral movement potential in environments where RustFS is integrated with cloud IAM, Kubernetes workloads, or CI/CD pipelines
Supply chain and compliance implications for organizations running RustFS in regulated industries

This vulnerability is part of a broader wave of security issues affecting RustFS versions before 1.0.0-beta.2, including a hard-coded RSA private key (CVE-2026-45041), an unauthenticated license metadata endpoint (CVE-2026-47136), and sensitive log leakage (CVE-2026-45040).

Mitigation

CVE-2026-45043 is fixed in RustFS version 1.0.0-beta.2, released on May 20, 2026. The advisory notes no patched version existed at the time of original disclosure, meaning all prior versions across the < latest affected range were exposed.

Organizations running RustFS should take the following actions immediately:

Upgrade to 1.0.0-beta.2 or later as the primary remediation step
Audit all current IAM service accounts for unknown parent associations, especially those tied to minioadmin
Restrict ImportIAMAction to the absolute minimum number of trusted principals
Review IAM state files for anomalous entries, including custom sa-policy: consoleAdmin claims
Enable centralized logging and alerting on all admin endpoint access, particularly import-iam calls

FAQ

Q1. Who is affected by CVE-2026-45043?
Any organization running RustFS versions before 1.0.0-beta.2 where at least one user or role has been granted the ImportIAMAction privilege is directly vulnerable to this privilege escalation attack.

Q2. Does exploiting this vulnerability require admin credentials?
No, only a low-privilege account with the delegated ImportIAMAction permission is required; no existing admin credentials are needed to create root-level backdoor service accounts.

Q3. Is there an active exploit or evidence of in-the-wild exploitation?
A functional proof-of-concept was published alongside the advisory by the reporting researcher, though no confirmed in-the-wild exploitation campaigns have been publicly disclosed as of May 30, 2026.

Q4. What CVSS score does CVE-2026-45043 carry, and what does it mean?
The vulnerability carries a Critical CVSS v4.0 rating, reflecting network-based exploitation, minimal attacker requirements, and high impacts on confidentiality and integrity across both the vulnerable and downstream systems.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.