Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

INFO

Published Date :

2026-04-22T20:15:57.266Z

Last Modified :

2026-04-23T16:24:57.337Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40937 vulnerability.

Vendors Products
Rustfs
  • Rustfs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40937.

URL Resource
https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94 cve-icon cve-icon
https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact