CVE-2026-40937
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/04/2026
Last modified:
24/04/2026
Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.
Impact
Base Score 3.x
8.30
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha2:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:* | ||
| cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:* |
To consult the complete list of CPE names with products and versions, see this page