{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.518Z", "datePublished": "2026-04-22T20:15:57.266Z", "dateUpdated": "2026-04-23T16:24:57.337Z"}, "containers": {"cna": {"title": "RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"}, {"name": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94", "tags": ["x_refsource_MISC"], "url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94"}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"version": "< 1.0.0-alpha.94", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:15:57.266Z"}, "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch."}], "source": {"advisory": "GHSA-pfcq-4gjr-6gjm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:41:06.202053Z", "id": "CVE-2026-40937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:24:57.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks", "source": {"advisory": "GHSA-pfcq-4gjr-6gjm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rustfs", "product": "rustfs", "versions": [{"status": "affected", "version": "< 1.0.0-alpha.94"}]}], "references": [{"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94", "name": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:15:57.266Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:41:06.202053Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T13:41:10.574Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40937", "state": "PUBLISHED", "dateUpdated": "2026-04-22T20:15:57.266Z", "dateReserved": "2026-04-15T20:40:15.518Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T20:15:57.266Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha1:*:*:*:rust:*:*", "matchCriteriaId": "454A2F3A-76CF-4F2D-97FE-AEDEBE8FF1CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha10:*:*:*:rust:*:*", "matchCriteriaId": "32B2D146-7920-4C6D-B42F-1BDDF5193394", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha11:*:*:*:rust:*:*", "matchCriteriaId": "B25BC365-35BA-438A-B5B1-3FA696767821", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha12:*:*:*:rust:*:*", "matchCriteriaId": "B69213F1-7D94-4185-9309-FF3140733550", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha2:*:*:*:rust:*:*", "matchCriteriaId": "550786BD-A6A4-454B-BDAB-67AE64DABCA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*", "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*", "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*", "matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*", "matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*", "matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha27:*:*:*:rust:*:*", "matchCriteriaId": "C2D66076-4005-4F58-A8E2-69062053D786", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha28:*:*:*:rust:*:*", "matchCriteriaId": "1D8CB0F5-299F-4BB0-B264-F5642DD991C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha29:*:*:*:rust:*:*", "matchCriteriaId": "96E20418-FE0C-4202-8771-FFF8EBB1B62D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha3:*:*:*:rust:*:*", "matchCriteriaId": "C16A625B-3FC4-48EB-9107-6E7585080D15", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha30:*:*:*:rust:*:*", "matchCriteriaId": "810A17F9-AEEA-4396-B437-120789BBE882", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha31:*:*:*:rust:*:*", "matchCriteriaId": "7B1FECD4-E993-417D-AEA7-F8E97DC6A5FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha32:*:*:*:rust:*:*", "matchCriteriaId": "3839F299-E0E7-4994-A8AC-B67A534C9847", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha33:*:*:*:rust:*:*", "matchCriteriaId": "46CAEA4E-5DFD-4668-ABF0-DC53EB04EE7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha34:*:*:*:rust:*:*", "matchCriteriaId": "591075AB-81EF-4D42-A2A0-FA28BC6B78CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha35:*:*:*:rust:*:*", "matchCriteriaId": "FD46ED07-6DCC-4BF8-A4E8-78B2FF6DCE4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha36:*:*:*:rust:*:*", "matchCriteriaId": "6DF15533-D6E1-49B0-B30A-6FEECC7AE06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha37:*:*:*:rust:*:*", "matchCriteriaId": "EC68F03A-D299-4BFB-A99E-4B08E4E0848F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha38:*:*:*:rust:*:*", "matchCriteriaId": "0DD60024-CAB2-4DA6-A9CA-503D2631E98B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha39:*:*:*:rust:*:*", "matchCriteriaId": "32470ED0-7873-41A3-B2D5-7CD444ED0A45", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha4:*:*:*:rust:*:*", "matchCriteriaId": "A88E9293-4B7C-4C52-9943-47197DB55D59", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha40:*:*:*:rust:*:*", "matchCriteriaId": "E2EFC74D-40E7-426C-9F7B-3B654F2B940F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha41:*:*:*:rust:*:*", "matchCriteriaId": "EAAF504E-51A5-492B-887E-BB67788B899C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha42:*:*:*:rust:*:*", "matchCriteriaId": "35C83244-D2C7-4D70-9C0B-D0590B00C608", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha43:*:*:*:rust:*:*", "matchCriteriaId": "429E4ECD-997A-4D3B-9DE2-60835AE14473", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha44:*:*:*:rust:*:*", "matchCriteriaId": "5DDDBAA5-D207-498C-A6F0-79F07806C511", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha45:*:*:*:rust:*:*", "matchCriteriaId": "81758B85-6D2B-4914-96EC-E4CCDE2F9A52", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha46:*:*:*:rust:*:*", "matchCriteriaId": "D439B484-E32D-4A6A-84EE-9307A028F736", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha47:*:*:*:rust:*:*", "matchCriteriaId": "FDA137F7-DC8A-44F4-8061-F502AC8DD7BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha48:*:*:*:rust:*:*", "matchCriteriaId": "AE3EF7B3-E8C0-4844-9165-3A26EB426615", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha49:*:*:*:rust:*:*", "matchCriteriaId": "EB40D926-AE20-46A7-9B6E-ED1BADB9A08B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha5:*:*:*:rust:*:*", "matchCriteriaId": "7F5E8DE5-ABB0-4884-B473-07FA596A8707", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha50:*:*:*:rust:*:*", "matchCriteriaId": "3A43A950-59A6-4343-815A-953C11DC3F13", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha51:*:*:*:rust:*:*", "matchCriteriaId": "87B36190-C30B-45BC-9738-BE0B3321025D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha52:*:*:*:rust:*:*", "matchCriteriaId": "86A2967C-E2C6-4C73-9BDE-CCECACDB2B02", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha53:*:*:*:rust:*:*", "matchCriteriaId": "5E10A654-E265-4469-8099-ABBB1F5D8BCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha54:*:*:*:rust:*:*", "matchCriteriaId": "762591A8-A0A2-45D2-B15F-1E85DFC5CA86", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha55:*:*:*:rust:*:*", "matchCriteriaId": "53DE196C-1914-40AE-854D-4988073D57C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha56:*:*:*:rust:*:*", "matchCriteriaId": "5BE55B7E-3806-4F8A-B09C-7B9D173D3FAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha57:*:*:*:rust:*:*", "matchCriteriaId": "8CF07DA6-11F6-4A19-9FD9-1955EC22C779", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha58:*:*:*:rust:*:*", "matchCriteriaId": "1A571B98-0EE7-46A6-8514-3E02F9CE969A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha59:*:*:*:rust:*:*", "matchCriteriaId": "3263EEC7-94FF-4802-BCB2-0C3713079439", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha6:*:*:*:rust:*:*", "matchCriteriaId": "2B55C391-0232-4F06-A9D8-3663FA564E81", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha60:*:*:*:rust:*:*", "matchCriteriaId": "FA13E6EE-A889-408E-8503-2F57A5E46CE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha61:*:*:*:rust:*:*", "matchCriteriaId": "4D28A63E-ADE5-4DEC-8E75-0884A7011613", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha62:*:*:*:rust:*:*", "matchCriteriaId": "21E6129E-565C-45AE-A0C8-2D1B623EEC9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha63:*:*:*:rust:*:*", "matchCriteriaId": "046F640C-18E9-4FC4-812D-8E4CAAFCAE55", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha64:*:*:*:rust:*:*", "matchCriteriaId": "BFB217B7-78AA-4D16-9A2B-863BD6CD01B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha65:*:*:*:rust:*:*", "matchCriteriaId": "F8EEF3FF-410B-40F3-A144-CD61ED394109", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha66:*:*:*:rust:*:*", "matchCriteriaId": "E3494138-7FE7-4152-935C-C1C35179064B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha67:*:*:*:rust:*:*", "matchCriteriaId": "9E0461BC-0E45-4F9F-A837-4D9FC8852A75", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha68:*:*:*:rust:*:*", "matchCriteriaId": "E259407D-61CF-4956-A456-57F131334456", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha69:*:*:*:rust:*:*", "matchCriteriaId": "B6E44EF8-98A5-47F5-B7E9-3199EB08FAC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha7:*:*:*:rust:*:*", "matchCriteriaId": "54AB158B-F536-4627-8C6B-65AEE112FDF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha70:*:*:*:rust:*:*", "matchCriteriaId": "F4CBBD85-02F9-491A-8845-59EFB88F2DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha71:*:*:*:rust:*:*", "matchCriteriaId": "2271380A-3AE1-4954-8D16-5065C8E88D32", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha72:*:*:*:rust:*:*", "matchCriteriaId": "DB3F6C7E-71E4-427A-96F4-F62DE0ED9450", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha73:*:*:*:rust:*:*", "matchCriteriaId": "980BEAAE-143E-4F28-9A2F-58CED3D296E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha74:*:*:*:rust:*:*", "matchCriteriaId": "8E14C88E-CE9B-44DA-98DE-280C0D6E4C8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha75:*:*:*:rust:*:*", "matchCriteriaId": "EEC13614-61AD-45A7-B7FA-07346D33CACF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha76:*:*:*:rust:*:*", "matchCriteriaId": "6B3E9EB0-0A41-4146-B6A9-49B1A70358DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha77:*:*:*:rust:*:*", "matchCriteriaId": "CBDD75C5-1A08-4758-9324-172C1D539322", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha78:*:*:*:rust:*:*", "matchCriteriaId": "96461CC0-012C-40D7-B1CB-FF9A6B7EB644", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha79:*:*:*:rust:*:*", "matchCriteriaId": "9AA7AE2E-83E3-4796-8569-16030DB2CF38", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha8:*:*:*:rust:*:*", "matchCriteriaId": "F800AEB3-3AD7-42D8-BC3A-23703851435B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha80:*:*:*:rust:*:*", "matchCriteriaId": "73638EAF-BCA6-4BD8-90E5-3A53EFD0FD5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha81:*:*:*:rust:*:*", "matchCriteriaId": "48BCB4A7-57C5-4FAA-860D-B862947EE352", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha82:*:*:*:rust:*:*", "matchCriteriaId": "0EA73A06-6AEA-45DF-B819-D25AA9BBEBA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha83:*:*:*:rust:*:*", "matchCriteriaId": "A82C642A-14DD-4D6E-920F-BF05CEA173AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha84:*:*:*:rust:*:*", "matchCriteriaId": "CA33A8E8-C07B-46F1-81CB-D61429EDDBFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha85:*:*:*:rust:*:*", "matchCriteriaId": "2178E577-606B-4ABA-B747-4584F444B235", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha86:*:*:*:rust:*:*", "matchCriteriaId": "77E9B4E9-2828-458A-8086-24A1E3ECCA1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha87:*:*:*:rust:*:*", "matchCriteriaId": "83DF75E6-D5A9-4CCF-9580-D10BDFB9DAC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha88:*:*:*:rust:*:*", "matchCriteriaId": "0DAE6A6F-4CFE-4D5B-981B-18212A654EF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha89:*:*:*:rust:*:*", "matchCriteriaId": "B2762E72-9390-48A7-AD63-0EB7510442DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha9:*:*:*:rust:*:*", "matchCriteriaId": "5821FADC-CF73-4639-911A-F3302D239B7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha90:*:*:*:rust:*:*", "matchCriteriaId": "7F4D13A8-1A82-404C-93FA-AF94B7EC9D12", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha91:*:*:*:rust:*:*", "matchCriteriaId": "ED2FA642-2D41-4348-87B8-691F6FD3AC8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha92:*:*:*:rust:*:*", "matchCriteriaId": "4D0D8649-65A9-4044-903B-EAFB6C73AD1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha93:*:*:*:rust:*:*", "matchCriteriaId": "AEB051A2-5799-4C2C-AFE0-86851FFF0FF2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch."}], "id": "CVE-2026-40937", "lastModified": "2026-04-24T13:12:29.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:08.877", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0-alpha.94)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rustfs", "source": "cna", "vendor": "rustfs"}, "product": "rustfs", "vendor": "rustfs"}], "created": "2026-04-22T21:30:27.595343+00:00", "updated": "2026-04-22T21:30:27.595418+00:00", "vendors": ["rustfs", "rustfs$PRODUCT$rustfs"]}