216.73.217.22

CVE-2026-40937

· Published 22/04/2026 21:17 · Modified 22/04/2026 21:23

Labels: CVE-2026-40937 2026-04-22CVE-2026-40937CWE-862[email protected]

Essential information

Published
22/04/2026 21:17
Modified
22/04/2026 21:23
Author
Creator
CVSS
8.3 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS metrics

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

NVD status

Status
Undergoing Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rustfs / rustfs cpe:2.3:a:rustfs:rustfs:<1.0.0-alpha.94:*:*:*:*:*:*:*

References