RustFS Flaw: Non-Admin Takeover of Notification Targets
The National Vulnerability Database (NVD) has disclosed CVE-2026-40937, a high-severity vulnerability (CVSS 8.3) in RustFS, a distributed object storage system. Prior to version 1.0.0-alpha.94, RustFS’s admin API endpoints for notification targets failed to perform proper authorization checks. Specifically, the check_permissions helper in rustfs/src/admin/handlers/event.rs only validated authentication (access key and session token), completely bypassing the validate_admin_request function which enforces specific AdminAction authorization.
This critical oversight allows any authenticated non-admin user to overwrite shared, admin-defined notification targets by name. The implications are severe: an attacker can redirect subsequent bucket events to an endpoint they control. This isn’t just a misconfiguration risk; it enables cross-user event interception and provides a clear path for audit evasion.
For defenders, this means a non-privileged user can effectively blind security teams to critical events or reroute sensitive data notifications. The NVD reports that version 1.0.0-alpha.94 contains the necessary patch. Organizations leveraging RustFS must prioritize this update to prevent unauthorized event manipulation and maintain data integrity and audit trails.
What This Means For You
- If your organization uses RustFS, you need to verify your version immediately. This isn't theoretical: a low-privileged user can hijack your event notifications. Patch to 1.0.0-alpha.94 or later *now*. Then, audit your notification target configurations for any unauthorized changes or suspicious endpoints. This is a direct path to audit evasion and data exfiltration.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40937 - RustFS Notification Target Overwrite (Free Tier)
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40937 | Auth Bypass | RustFS versions prior to 1.0.0-alpha.94 |
| CVE-2026-40937 | Auth Bypass | RustFS admin API endpoints in `rustfs/src/admin/handlers/event.rs` |
| CVE-2026-40937 | Information Disclosure | Cross-user event interception and audit evasion in RustFS |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 00:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
WeKan SSRF Vulnerability: Internal Network Exposure Risk
CVE-2026-41455 — WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol...
Wekan API Flaw Grants Board Members Admin Powers
CVE-2026-41454 — WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without...
CVE-2026-41177 — Server-Side Request Forgery
CVE-2026-41177 — Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable...