CVE-2026-40937 | THREATINT

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-22 | Updated 2026-04-23 | Assigner GitHub_M

HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-862: Missing Authorization

Product status

< 1.0.0-alpha.94

affected

References

github.com/...rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm

github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94

cve.org (CVE-2026-40937)

nvd.nist.gov (CVE-2026-40937)

Download JSON