CVE-2026-40937

Source
https://cve.org/CVERecord?id=CVE-2026-40937
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40937.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40937
Aliases
Published
2026-04-22T20:15:57.266Z
Modified
2026-07-08T08:05:11.987362923Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks
Details

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40937.json"
}
References

Affected packages

Git / github.com/rustfs/rustfs

Affected ranges

Type
GIT
Repo
https://github.com/rustfs/rustfs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.0-alpha.94"
        }
    ]
}

Affected versions

1.*
1.0.0-alpha.1
1.0.0-alpha.10
1.0.0-alpha.11
1.0.0-alpha.12
1.0.0-alpha.13
1.0.0-alpha.14
1.0.0-alpha.15
1.0.0-alpha.16
1.0.0-alpha.17
1.0.0-alpha.18
1.0.0-alpha.19
1.0.0-alpha.2
1.0.0-alpha.20
1.0.0-alpha.21
1.0.0-alpha.22
1.0.0-alpha.23
1.0.0-alpha.24
1.0.0-alpha.25
1.0.0-alpha.26
1.0.0-alpha.27
1.0.0-alpha.28
1.0.0-alpha.29
1.0.0-alpha.3
1.0.0-alpha.30
1.0.0-alpha.31
1.0.0-alpha.32
1.0.0-alpha.33
1.0.0-alpha.34
1.0.0-alpha.35
1.0.0-alpha.36
1.0.0-alpha.37
1.0.0-alpha.38
1.0.0-alpha.39
1.0.0-alpha.4
1.0.0-alpha.40
1.0.0-alpha.41
1.0.0-alpha.42
1.0.0-alpha.43
1.0.0-alpha.44
1.0.0-alpha.45
1.0.0-alpha.46
1.0.0-alpha.47
1.0.0-alpha.48
1.0.0-alpha.49
1.0.0-alpha.5
1.0.0-alpha.50
1.0.0-alpha.51
1.0.0-alpha.52
1.0.0-alpha.53
1.0.0-alpha.54
1.0.0-alpha.55
1.0.0-alpha.56
1.0.0-alpha.57
1.0.0-alpha.58
1.0.0-alpha.59
1.0.0-alpha.6
1.0.0-alpha.60
1.0.0-alpha.61
1.0.0-alpha.62
1.0.0-alpha.63
1.0.0-alpha.64
1.0.0-alpha.65
1.0.0-alpha.66
1.0.0-alpha.67
1.0.0-alpha.68
1.0.0-alpha.69
1.0.0-alpha.7
1.0.0-alpha.70
1.0.0-alpha.71
1.0.0-alpha.72
1.0.0-alpha.73
1.0.0-alpha.74
1.0.0-alpha.75
1.0.0-alpha.76
1.0.0-alpha.77
1.0.0-alpha.78
1.0.0-alpha.79
1.0.0-alpha.8
1.0.0-alpha.80
1.0.0-alpha.81
1.0.0-alpha.82
1.0.0-alpha.83
1.0.0-alpha.84
1.0.0-alpha.85
1.0.0-alpha.86
1.0.0-alpha.87
1.0.0-alpha.88
1.0.0-alpha.89
1.0.0-alpha.9
1.0.0-alpha.90
1.0.0-alpha.91
1.0.0-alpha.92
1.0.0-alpha.93

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40937.json"