CVE-2026-40937

HIGH 8.3

RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

CVSS Score

8.3

EPSS Score

0.0%

EPSS Percentile

0th

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

CWE	CWE-862
Vendor	rustfs
Product	rustfs
Published	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for rustfs rustfs

Be the first to know when new high vulnerabilities affecting rustfs rustfs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

rustfs / rustfs

< 1.0.0-alpha.94

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm github.com: https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94