CVE-2026-40937
Published: 22 April 2026
Summary
CVE-2026-40937 is a high-severity Missing Authorization (CWE-862) vulnerability in Rustfs Rustfs. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of authorization for admin API endpoints, addressing the missing validate_admin_request checks in notification target handlers.
Enforces least privilege to prevent non-admin users from overwriting shared admin-defined notification targets.
Restricts modifications to configuration items like notification targets to authorized personnel only.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in admin API endpoints allows low-privileged authenticated users to perform unauthorized admin actions like modifying notification targets, directly enabling privilege escalation (T1068) via the public-facing application (T1190) for event interception and audit evasion.
NVD Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization…
more
via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.
Deeper analysisAI
CVE-2026-40937 is a missing authorization vulnerability (CWE-862) in RustFS, a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.94, the four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` rely solely on a `check_permissions` helper, which validates authentication via access key and session token but skips the `validate_admin_request` function used by all other admin handlers. This oversight allows unauthorized modification of admin-defined resources without the required `AdminAction` checks.
The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity. A low-privileged (non-admin) authenticated user can exploit it remotely with low complexity and no user interaction. By overwriting a shared admin-defined notification target by name, the attacker redirects subsequent bucket events to an attacker-controlled endpoint, enabling cross-user event interception and audit evasion.
RustFS version 1.0.0-alpha.94 addresses the issue with a patch. Security practitioners should upgrade to this release, as detailed in the GitHub release notes (https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94) and the associated security advisory (https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm).
Details
- CWE(s)