← Back

CVE-2026-40937

nvd nist
Published: Apr 22, 2026Modified: Apr 24, 2026

JSON object

Loading...
8.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Exploitability: 2.8 / Impact: 5.5
Source: security-advisories@github.com (Secondary)

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

Affected (93)

Products: Rustfs: Rustfs
Rustfs
1 product
Rustfs
Configuration A
93 vulnerable
Vulnerable SoftwareAffected Versions
Rustfs
Rustfs
Version 1.0.0 alpha10
Rustfs
Version 1.0.0 alpha11
Rustfs
Version 1.0.0 alpha12
Rustfs
Version 1.0.0 alpha13
Rustfs
Version 1.0.0 alpha14
Rustfs
Version 1.0.0 alpha15
Rustfs
Version 1.0.0 alpha16
Rustfs
Version 1.0.0 alpha17
Rustfs
Version 1.0.0 alpha18
Rustfs
Version 1.0.0 alpha19
Rustfs
Version 1.0.0 alpha1
Rustfs
Version 1.0.0 alpha20
Rustfs
Version 1.0.0 alpha21
Rustfs
Version 1.0.0 alpha22
Rustfs
Version 1.0.0 alpha23
Rustfs
Version 1.0.0 alpha24
Rustfs
Version 1.0.0 alpha25
Rustfs
Version 1.0.0 alpha26
Rustfs
Version 1.0.0 alpha27
Rustfs
Version 1.0.0 alpha28
Rustfs
Version 1.0.0 alpha29
Rustfs
Version 1.0.0 alpha2
Rustfs
Version 1.0.0 alpha30
Rustfs
Version 1.0.0 alpha31
Rustfs
Version 1.0.0 alpha32
Rustfs
Version 1.0.0 alpha33
Rustfs
Version 1.0.0 alpha34
Rustfs
Version 1.0.0 alpha35
Rustfs
Version 1.0.0 alpha36
Rustfs
Version 1.0.0 alpha37
Rustfs
Version 1.0.0 alpha38
Rustfs
Version 1.0.0 alpha39
Rustfs
Version 1.0.0 alpha3
Rustfs
Version 1.0.0 alpha40
Rustfs
Version 1.0.0 alpha41
Rustfs
Version 1.0.0 alpha42
Rustfs
Version 1.0.0 alpha43
Rustfs
Version 1.0.0 alpha44
Rustfs
Version 1.0.0 alpha45
Rustfs
Version 1.0.0 alpha46
Rustfs
Version 1.0.0 alpha47
Rustfs
Version 1.0.0 alpha48
Rustfs
Version 1.0.0 alpha49
Rustfs
Version 1.0.0 alpha4
Rustfs
Version 1.0.0 alpha50
Rustfs
Version 1.0.0 alpha51
Rustfs
Version 1.0.0 alpha52
Rustfs
Version 1.0.0 alpha53
Rustfs
Version 1.0.0 alpha54
Rustfs
Version 1.0.0 alpha55
Rustfs
Version 1.0.0 alpha56
Rustfs
Version 1.0.0 alpha57
Rustfs
Version 1.0.0 alpha58
Rustfs
Version 1.0.0 alpha59
Rustfs
Version 1.0.0 alpha5
Rustfs
Version 1.0.0 alpha60
Rustfs
Version 1.0.0 alpha61
Rustfs
Version 1.0.0 alpha62
Rustfs
Version 1.0.0 alpha63
Rustfs
Version 1.0.0 alpha64
Rustfs
Version 1.0.0 alpha65
Rustfs
Version 1.0.0 alpha66
Rustfs
Version 1.0.0 alpha67
Rustfs
Version 1.0.0 alpha68
Rustfs
Version 1.0.0 alpha69
Rustfs
Version 1.0.0 alpha6
Rustfs
Version 1.0.0 alpha70
Rustfs
Version 1.0.0 alpha71
Rustfs
Version 1.0.0 alpha72
Rustfs
Version 1.0.0 alpha73
Rustfs
Version 1.0.0 alpha74
Rustfs
Version 1.0.0 alpha75
Rustfs
Version 1.0.0 alpha76
Rustfs
Version 1.0.0 alpha77
Rustfs
Version 1.0.0 alpha78
Rustfs
Version 1.0.0 alpha79
Rustfs
Version 1.0.0 alpha7
Rustfs
Version 1.0.0 alpha80
Rustfs
Version 1.0.0 alpha81
Rustfs
Version 1.0.0 alpha82
Rustfs
Version 1.0.0 alpha83
Rustfs
Version 1.0.0 alpha84
Rustfs
Version 1.0.0 alpha85
Rustfs
Version 1.0.0 alpha86
Rustfs
Version 1.0.0 alpha87
Rustfs
Version 1.0.0 alpha88
Rustfs
Version 1.0.0 alpha89
Rustfs
Version 1.0.0 alpha8
Rustfs
Version 1.0.0 alpha90
Rustfs
Version 1.0.0 alpha91
Rustfs
Version 1.0.0 alpha92
Rustfs
Version 1.0.0 alpha93
Rustfs
Version 1.0.0 alpha9

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
MitigationVendor Advisory

Timeline

No history available yet.