logo

Database

Excessive privileges In rustfs

Description

RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

Summary

A flawed deny_only short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions.

Details

akin to MinIO CVE-2025-62506

    Policy evaluation: Policy::is_allowed returns true when deny_only=true if no explicit Deny is hit, skipping all Allow checks (crates/policy/src/policy/policy.rs:66-74).

    Service account creation path sets deny_only=true when the target user equals the caller or its parent (rustfs/src/admin/handlers/service_account.rs:114-127).

    Service accounts are created without session_policy by default, so claims lack SESSION_POLICY_NAME; combined with deny_only, self-operations are allowed without Allow statements.

    Result: a limited service account/STS can create a new service account without policy and obtain the parent’s full rights (even root), bypassing original restrictions.

Key code references:

    crates/policy/src/policy/policy.rs (deny_only short-circuit)

    rustfs/src/admin/handlers/service_account.rs: (deny_only set for self/parent target)

    crates/iam/src/sys.rs (service account creation defaults, no session_policy)

PoC

Requires awscli, awscurl, jq, RustFS at http://127.0.0.1:9000, root AK/SK rustfsadmin/rustfsadmin. Run:

#!/usr/bin/env bash
set -euo pipefail

# ===================== Config =====================
ENDPOINT="${ENDPOINT:-http://127.0.0.1:9000}"
ROOT_AK="${ROOT_AK:-rustfsadmin}"
ROOT_SK="${ROOT_SK:-rustfsadmin}"
PARENT_AK="${PARENT_AK:-restricted}"...

PoC steps (in poc.sh):

    Cleanup old test accounts/buckets; create bucket1/2/3; seed bucket3 with poc-marker.txt.

    Create restricted policy (List/Get/Put only on bucket1/2).

    Create restricted service account restricted/restricted123 with that policy.

    With restricted, create child service account evilchild/evilchild123 without policy (deny_only short-circuit).

    With evilchild, list bucket3 and read/write objects (expected to be denied; success demonstrates vuln). Script prints SUCCESS/DENIED.

Result:

./poc.sh
[+] cleanup service accounts (ignore errors)
[+] cleanup buckets
[+] create buckets
make_bucket: bucket1
make_bucket: bucket2
make_bucket: bucket3
[+] seed bucket3 with marker object...

Impact

Privilege escalation / authorization bypass. Any holder of a restricted service account or STS credential can mint an unrestricted service account and gain parent-level (up to root) access across S3/Admin/KMS operations. High risk to confidentiality and integrity.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-220432. NVD-2026-220433. OSV-2026-220434. GHSA-xgr5-qc6w-vcg95. GCVE-2026-22043

References

1. https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.