CVE-2026-40937 HIGH

CVE-2026-40937: RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

Vendor Rustfs
Product rustfs
Weakness CWE-862 · Missing authorization
Published April 22, 2026
Last update April 23, 2026
View on NVD All CVEs

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-49320 WordPress FraudLabs Pro for WooCommerce plugin <= 2.22.11 - Broken Access Control Vulnerability CVE-2024-8437 WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation CVE-2024-42377 Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework CVE-2024-9096 Improper Authorization in lunary-ai/lunary CVE-2025-14755 Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference