top of page
perceptive_background_267k.jpg

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/hand…

Published:

21 april 2026 om 22:00:00

Alert date:

22 april 2026 om 22:11:22

Source:

nvd.nist.gov

Click to open the original link from this advisory

Database & Storage, Identity & Access

RustFS distributed object storage system contains an authorization bypass vulnerability in notification target admin API endpoints. The vulnerability exists in rustfs/src/admin/handlers/event.rs where four endpoints use check_permissions helper that validates authentication only without performing admin-action authorization via validate_admin_request. Non-admin users can overwrite admin-defined notification targets by name, causing bucket events to be delivered to attacker-controlled endpoints. This enables cross-user event interception and audit evasion. The vulnerability affects versions prior to 1.0.0-alpha.94 which contains a patch.

Technical details

Mitigation steps:

Affected products:

RustFS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40937
https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94
https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page