CVE-2026-40937

EPSS 0.29%
Veröffentlicht 22.04.2026 20:15:57
Zuletzt bearbeitet 24.04.2026 13:12:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 93 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rustfs ≫ Rustfs Version1.0.0 Updatealpha1 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha10 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha11 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha12 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha13 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha14 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha15 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha16 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha17 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha18 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha19 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha2 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha20 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha21 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha22 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha23 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha24 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha25 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha26 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha27 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha28 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha29 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha3 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha30 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha31 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha32 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha33 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha34 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha35 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha36 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha37 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha38 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha39 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha4 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha40 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha41 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha42 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha43 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha44 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha45 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha46 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha47 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha48 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha49 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha5 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha50 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha51 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha52 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha53 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha54 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha55 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha56 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha57 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha58 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha59 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha6 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha60 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha61 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha62 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha63 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha64 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha65 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha66 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha67 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha68 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha69 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha7 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha70 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha71 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha72 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha73 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha74 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha75 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha76 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha77 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha78 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha79 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha8 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha80 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha81 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha82 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha83 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha84 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha85 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha86 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha87 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha88 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha89 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha9 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha90 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha91 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha92 SwPlatformrust

Rustfs ≫ Rustfs Version1.0.0 Updatealpha93 SwPlatformrust

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.207

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.3	2.8	5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm

Vendor Advisory

Mitigation

https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-40937

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40937

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40937

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40937