CVE-2026-40937

Awaiting Analysis Awaiting Analysis - Queue

Authorization Bypass in RustFS Admin API Enables Event Hijacking

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-22

Last Modified

2026-04-24

Generated

2026-05-07

AI Q&A

2026-04-23

EPSS Evaluated

2026-05-05

NVD

CVE-2026-40937

Affected Vendors & Products

Vendor	Product	Version / Range
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0
rustfs	rustfs	1.0.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-862	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Powered Q&A

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a non-admin user to overwrite a shared admin-defined notification target, enabling cross-user event interception and audit evasion. Such unauthorized access and manipulation of event notifications can lead to breaches of confidentiality and integrity of sensitive data.

As a result, this flaw could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information, as well as accurate auditing and logging of administrative actions.

Can you explain this vulnerability to me?

This vulnerability exists in RustFS, a distributed object storage system. Before version 1.0.0-alpha.94, four admin API endpoints related to notification targets only checked authentication (access key and session token) but did not perform proper authorization checks for admin actions. This means that a non-admin user could overwrite a shared notification target defined by an admin, causing bucket event notifications to be sent to an attacker-controlled endpoint.

The issue arises because these specific admin handlers skipped the usual authorization validation step that other admin handlers perform. This flaw allows unauthorized users to intercept events and evade audit mechanisms.

How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized interception of bucket event notifications by attackers. Since a non-admin user can redirect events to an attacker-controlled endpoint, sensitive event data could be exposed.

Additionally, attackers can evade audit trails by manipulating notification targets, potentially hiding malicious activities or unauthorized access.

Overall, this leads to a high risk of confidentiality and integrity breaches, as well as a low risk to availability.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade RustFS to version 1.0.0-alpha.94 or later, as this version contains the patch that fixes the authorization bypass in the admin API endpoints.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-40937

Authorization Bypass in RustFS Admin API Enables Event Hijacking

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart