CVE-2026-40937

Summary

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

Affected Software

VendorProductVersion RangeStatus
rustfsrustfs< 1.0.0-alpha.94affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References