The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation.
In ImportIam, the authorization check is implemented as follows:
validate_admin_request(
&req.headers,
&cred,
owner,
false,
vec![Action::AdminAction(AdminAction::ExportIAMAction)],
).await?;
However, this code resides in the Import IAM operation (struct ImportIam {}), which performs state-changing IAM writes.
The expected behavior is to validate against AdminAction::ImportIAMAction (or an equivalent import-specific admin action), not ExportIAMAction.
Prerequisites
Steps
AdminAction::ExportIAMAction
and without Import IAM privileges.
Send a request to the Import IAM endpoint (the same endpoint handled by ImportIam::call), authenticating with the export-only credentials.
Observe that:
Expected Result
Actual Result
| Score | Percentile |
|---|---|
| 0.05% | 15.51% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-vcwh-pff9-64cc ↗ |
| CVE | CVE-2026-22042 ↗ |
| CWE id | Name |
|---|---|
| CWE-285 | Improper Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | rustfs | < 1.0.0-alpha.79 | 1.0.0-alpha.79 | — |