{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.518Z", "datePublished": "2026-04-22T20:15:57.266Z", "dateUpdated": "2026-04-23T16:24:57.337Z"}, "containers": {"cna": {"title": "RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"}, {"name": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94", "tags": ["x_refsource_MISC"], "url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94"}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"version": "< 1.0.0-alpha.94", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:15:57.266Z"}, "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch."}], "source": {"advisory": "GHSA-pfcq-4gjr-6gjm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:41:06.202053Z", "id": "CVE-2026-40937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:24:57.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks", "source": {"advisory": "GHSA-pfcq-4gjr-6gjm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"status": "affected", "version": "< 1.0.0-alpha.94"}]}], "references": [{"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94", "name": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:15:57.266Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:41:06.202053Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T13:41:10.574Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40937", "state": "PUBLISHED", "dateUpdated": "2026-04-22T20:15:57.266Z", "dateReserved": "2026-04-15T20:40:15.518Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T20:15:57.266Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*", "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*", "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*", "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*", "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha2:*:*:*:rust:*:*", "matchCriteriaId": "550786BD-A6A4-454B-BDAB-67AE64DABCA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*", "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*", "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*", "matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*", "matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*", "matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha27:*:*:*:rust:*:*", "matchCriteriaId": "C2D66076-4005-4F58-A8E2-69062053D786", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha28:*:*:*:rust:*:*", "matchCriteriaId": "1D8CB0F5-299F-4BB0-B264-F5642DD991C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha29:*:*:*:rust:*:*", "matchCriteriaId": "96E20418-FE0C-4202-8771-FFF8EBB1B62D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha3:*:*:*:rust:*:*", "matchCriteriaId": "C16A625B-3FC4-48EB-9107-6E7585080D15", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha30:*:*:*:rust:*:*", "matchCriteriaId": "810A17F9-AEEA-4396-B437-120789BBE882", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha31:*:*:*:rust:*:*", "matchCriteriaId": "7B1FECD4-E993-417D-AEA7-F8E97DC6A5FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha32:*:*:*:rust:*:*", "matchCriteriaId": "3839F299-E0E7-4994-A8AC-B67A534C9847", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha33:*:*:*:rust:*:*", "matchCriteriaId": "46CAEA4E-5DFD-4668-ABF0-DC53EB04EE7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha34:*:*:*:rust:*:*", "matchCriteriaId": "591075AB-81EF-4D42-A2A0-FA28BC6B78CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha35:*:*:*:rust:*:*", "matchCriteriaId": "FD46ED07-6DCC-4BF8-A4E8-78B2FF6DCE4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha36:*:*:*:rust:*:*", "matchCriteriaId": "6DF15533-D6E1-49B0-B30A-6FEECC7AE06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha37:*:*:*:rust:*:*", "matchCriteriaId": "EC68F03A-D299-4BFB-A99E-4B08E4E0848F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha38:*:*:*:rust:*:*", "matchCriteriaId": "0DD60024-CAB2-4DA6-A9CA-503D2631E98B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha39:*:*:*:rust:*:*", "matchCriteriaId": "32470ED0-7873-41A3-B2D5-7CD444ED0A45", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha4:*:*:*:rust:*:*", "matchCriteriaId": "A88E9293-4B7C-4C52-9943-47197DB55D59", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha40:*:*:*:rust:*:*", "matchCriteriaId": "E2EFC74D-40E7-426C-9F7B-3B654F2B940F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha41:*:*:*:rust:*:*", "matchCriteriaId": "EAAF504E-51A5-492B-887E-BB67788B899C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha42:*:*:*:rust:*:*", "matchCriteriaId": "35C83244-D2C7-4D70-9C0B-D0590B00C608", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha43:*:*:*:rust:*:*", "matchCriteriaId": "429E4ECD-997A-4D3B-9DE2-60835AE14473", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha44:*:*:*:rust:*:*", "matchCriteriaId": "5DDDBAA5-D207-498C-A6F0-79F07806C511", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha45:*:*:*:rust:*:*", "matchCriteriaId": "81758B85-6D2B-4914-96EC-E4CCDE2F9A52", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha46:*:*:*:rust:*:*", "matchCriteriaId": "D439B484-E32D-4A6A-84EE-9307A028F736", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha47:*:*:*:rust:*:*", "matchCriteriaId": "FDA137F7-DC8A-44F4-8061-F502AC8DD7BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha48:*:*:*:rust:*:*", "matchCriteriaId": "AE3EF7B3-E8C0-4844-9165-3A26EB426615", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha49:*:*:*:rust:*:*", "matchCriteriaId": "EB40D926-AE20-46A7-9B6E-ED1BADB9A08B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha5:*:*:*:rust:*:*", "matchCriteriaId": "7F5E8DE5-ABB0-4884-B473-07FA596A8707", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha50:*:*:*:rust:*:*", "matchCriteriaId": "3A43A950-59A6-4343-815A-953C11DC3F13", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha51:*:*:*:rust:*:*", "matchCriteriaId": "87B36190-C30B-45BC-9738-BE0B3321025D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha52:*:*:*:rust:*:*", "matchCriteriaId": "86A2967C-E2C6-4C73-9BDE-CCECACDB2B02", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha53:*:*:*:rust:*:*", "matchCriteriaId": "5E10A654-E265-4469-8099-ABBB1F5D8BCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha54:*:*:*:rust:*:*", "matchCriteriaId": "762591A8-A0A2-45D2-B15F-1E85DFC5CA86", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha55:*:*:*:rust:*:*", "matchCriteriaId": "53DE196C-1914-40AE-854D-4988073D57C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*", "matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*", "matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*", "matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*", "matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha6:*:*:*:rust:*:*", "matchCriteriaId": "2B55C391-0232-4F06-A9D8-3663FA564E81", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*", "matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*", "matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*", "matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*", "matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*", "matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*", "matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*", "matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*", "matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*", "matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*", "matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha7:*:*:*:rust:*:*", "matchCriteriaId": "54AB158B-F536-4627-8C6B-65AEE112FDF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*", "matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*", "matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*", "matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*", "matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*", "matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*", "matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*", "matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*", "matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*", "matchCriteriaId": "96461CC0-012C-40D7-B1CB-FF9A6B7EB644", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*", "matchCriteriaId": "9AA7AE2E-83E3-4796-8569-16030DB2CF38", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha8:*:*:*:rust:*:*", "matchCriteriaId": "F800AEB3-3AD7-42D8-BC3A-23703851435B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*", "matchCriteriaId": "73638EAF-BCA6-4BD8-90E5-3A53EFD0FD5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*", "matchCriteriaId": "48BCB4A7-57C5-4FAA-860D-B862947EE352", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*", "matchCriteriaId": "0EA73A06-6AEA-45DF-B819-D25AA9BBEBA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha83:*:*:*:rust:*:*", "matchCriteriaId": "A82C642A-14DD-4D6E-920F-BF05CEA173AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha84:*:*:*:rust:*:*", "matchCriteriaId": "CA33A8E8-C07B-46F1-81CB-D61429EDDBFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha85:*:*:*:rust:*:*", "matchCriteriaId": "2178E577-606B-4ABA-B747-4584F444B235", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha86:*:*:*:rust:*:*", "matchCriteriaId": "77E9B4E9-2828-458A-8086-24A1E3ECCA1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha87:*:*:*:rust:*:*", "matchCriteriaId": "83DF75E6-D5A9-4CCF-9580-D10BDFB9DAC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha88:*:*:*:rust:*:*", "matchCriteriaId": "0DAE6A6F-4CFE-4D5B-981B-18212A654EF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha89:*:*:*:rust:*:*", "matchCriteriaId": "B2762E72-9390-48A7-AD63-0EB7510442DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha9:*:*:*:rust:*:*", "matchCriteriaId": "5821FADC-CF73-4639-911A-F3302D239B7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha90:*:*:*:rust:*:*", "matchCriteriaId": "7F4D13A8-1A82-404C-93FA-AF94B7EC9D12", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha91:*:*:*:rust:*:*", "matchCriteriaId": "ED2FA642-2D41-4348-87B8-691F6FD3AC8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha92:*:*:*:rust:*:*", "matchCriteriaId": "4D0D8649-65A9-4044-903B-EAFB6C73AD1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha93:*:*:*:rust:*:*", "matchCriteriaId": "AEB051A2-5799-4C2C-AFE0-86851FFF0FF2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch."}], "id": "CVE-2026-40937", "lastModified": "2026-04-24T13:12:29.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:08.877", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0-alpha.94)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rustfs", "source": "cna", "vendor": "rustfs"}, "product": "rustfs", "vendor": "rustfs"}], "analysis": {"en": {"generated_at": "2026-04-27T08:26:37.515439+00:00", "value": {"mitigation_remediation": ["Apply the RustFS patch by upgrading to version 1.0.0\u2011alpha.94 or later, which restores admin\u2011action authorization on the notification target endpoints.", "Restrict access to the notification target admin API endpoints so that only users with administrative privileges can modify notification targets, and enforce unique target names to prevent accidental overwrites.", "Audit existing notification target configurations for unauthorized changes and implement monitoring to detect future attempts to alter them."], "summary": {"action": "Immediate Patch", "impact": "Cross-user event interception and audit evasion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects RustFS as supplied by the RustFS vendor. Versions prior to 1.0.0\u2011alpha.94 expose the four notification target admin API endpoints without proper admin\u2011action authorization. The affected product is rustfs:rustfs; any deployment running a pre\u20111.0.0\u2011alpha.94 build is potentially at risk.", "description_and_impact": "RustFS is a distributed object storage system written in Rust. A grant\u2011of permission flaw in the notification target admin API endpoints allows a user who holds normal authentication credentials to overwrite a shared, admin\u2011defined notification target. The attacker then redirects bucket events to a malicious webhook, intercepting events for other users and avoiding audit detection. This flaw is an authority control weakness (CWE\u2011862) that can compromise confidentiality of event data and disrupt audit logs.", "risk_and_exploitability": "The CVSS score of 8.3 indicates a high severity. No EPSS scoring is available but the flaw can be exploited by any authenticated non\u2011admin user who can reach the admin API endpoints, which are typically exposed on the same host as the storage service. The vulnerability is not publicly listed in the CISA KEV catalog, yet the lack of admin authorization makes it an easy vector for cross\u2011user data exfiltration and audit evasion."}}}}, "created": "2026-04-22T21:30:27.595343+00:00", "updated": "2026-04-27T18:42:00.082904+00:00", "vendors": ["rustfs", "rustfs$PRODUCT$rustfs"]}