{"id":"CVE-2026-40937","summary":"RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks","details":"RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.","aliases":["GHSA-pfcq-4gjr-6gjm"],"modified":"2026-07-15T01:48:54.618493523Z","published":"2026-04-22T20:15:57.266Z","database_specific":{"cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40937.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40937.json"},{"type":"ADVISORY","url":"https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40937"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rustfs/rustfs","events":[{"introduced":"0"},{"fixed":"c0d3f53f7ad1b4267e6760d48845928b06ea1ea4"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.0.0-alpha.94"}]}}],"versions":["1.0.0-alpha.93","1.0.0-alpha.92","1.0.0-alpha.91","1.0.0-alpha.90","1.0.0-alpha.89","1.0.0-alpha.88","1.0.0-alpha.87","1.0.0-alpha.86","1.0.0-alpha.85","1.0.0-alpha.84","1.0.0-alpha.83","1.0.0-alpha.82","1.0.0-alpha.81","1.0.0-alpha.80","1.0.0-alpha.79","1.0.0-alpha.78","1.0.0-alpha.77","1.0.0-alpha.76","1.0.0-alpha.75","1.0.0-alpha.74","1.0.0-alpha.73","1.0.0-alpha.72","1.0.0-alpha.71","1.0.0-alpha.70","1.0.0-alpha.69","1.0.0-alpha.68","1.0.0-alpha.67","1.0.0-alpha.66","1.0.0-alpha.65","1.0.0-alpha.64","1.0.0-alpha.63","1.0.0-alpha.62","1.0.0-alpha.61","1.0.0-alpha.60","1.0.0-alpha.59","1.0.0-alpha.58","1.0.0-alpha.57","1.0.0-alpha.56","1.0.0-alpha.55","1.0.0-alpha.54","1.0.0-alpha.53","1.0.0-alpha.52","1.0.0-alpha.51","1.0.0-alpha.50","1.0.0-alpha.49","1.0.0-alpha.48","1.0.0-alpha.47","1.0.0-alpha.46","1.0.0-alpha.45","1.0.0-alpha.44","1.0.0-alpha.43","1.0.0-alpha.42","1.0.0-alpha.41","1.0.0-alpha.40","1.0.0-alpha.39","1.0.0-alpha.38","1.0.0-alpha.37","1.0.0-alpha.36","1.0.0-alpha.35","1.0.0-alpha.34","1.0.0-alpha.33","1.0.0-alpha.32","1.0.0-alpha.31","1.0.0-alpha.30","1.0.0-alpha.29","1.0.0-alpha.28","1.0.0-alpha.27","1.0.0-alpha.26","1.0.0-alpha.25","1.0.0-alpha.24","1.0.0-alpha.23","1.0.0-alpha.22","1.0.0-alpha.21","1.0.0-alpha.20","1.0.0-alpha.19","1.0.0-alpha.18","1.0.0-alpha.17","1.0.0-alpha.16","1.0.0-alpha.15","1.0.0-alpha.14","1.0.0-alpha.13","1.0.0-alpha.12","1.0.0-alpha.11","1.0.0-alpha.10","1.0.0-alpha.9","1.0.0-alpha.8","1.0.0-alpha.7","1.0.0-alpha.6","1.0.0-alpha.5","1.0.0-alpha.4","1.0.0-alpha.3","1.0.0-alpha.2","1.0.0-alpha.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40937.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}