CVE-2026-40937
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in RustFS Admin API Enables Event Hijacking

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40937
Affected Vendors & Products
Showing 93 associated CPEs
Vendor Product Version / Range
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
rustfs rustfs 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in RustFS, a distributed object storage system. Before version 1.0.0-alpha.94, four admin API endpoints related to notification targets only checked authentication (access key and session token) but did not perform proper authorization checks for admin actions. This means that a non-admin user could overwrite a shared notification target defined by an admin, causing bucket event notifications to be sent to an attacker-controlled endpoint.

The issue arises because these specific admin handlers skipped the usual authorization validation step that other admin handlers perform. This flaw allows unauthorized users to intercept events and evade audit mechanisms.

Impact Analysis

This vulnerability can have serious impacts including unauthorized interception of bucket event notifications by attackers. Since a non-admin user can redirect events to an attacker-controlled endpoint, sensitive event data could be exposed.

Additionally, attackers can evade audit trails by manipulating notification targets, potentially hiding malicious activities or unauthorized access.

Overall, this leads to a high risk of confidentiality and integrity breaches, as well as a low risk to availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade RustFS to version 1.0.0-alpha.94 or later, as this version contains the patch that fixes the authorization bypass in the admin API endpoints.

Compliance Impact

This vulnerability allows a non-admin user to overwrite a shared admin-defined notification target, enabling cross-user event interception and audit evasion. Such unauthorized access and manipulation of event notifications can lead to breaches of confidentiality and integrity of sensitive data.

As a result, this flaw could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information, as well as accurate auditing and logging of administrative actions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40937. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart