CVE-2026-40937

CVE-2026-40937 is a high-severity missing authorization vulnerability in rustfs (rust), affecting versions <= 0.0.2. No fixed version is listed yet.

Summary

Missing Admin Auth on Notification Target Endpoints in RustFS

Finding Summary

All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.

A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.

What Was Proven Live

  1. Authorization bypass on all four endpoints (03_readonly_user_bypass.py)

    • PUT, GET list, GET arns, DELETE all return 200 for readonly-user
    • Control routes (list-users, kms/status) correctly return 403
    • Unauthenticated requests correctly rejected (403 Signature required)
  2. SSRF via health probe (04_ssrf_listener_landing.py)

    • HEAD request from rustfs container to attacker-controlled listener
    • No host validation: only scheme check (http/https)
  3. Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)

    • Readonly-user overwrites admin-configured target URL by name
    • Subsequent S3 events delivered to attacker-controlled endpoint
    • Captured event body includes object keys, bucket names, user identities, and request metadata
  4. Audit evasion (05_target_hijacking.py)

    • Readonly-user can delete unbound targets
    • Readonly-user can overwrite bound targets (silently redirecting events)

Escalation Vectors Tested But Not Viable

  1. Self-referencing webhook to admin API (13_self_referencing_test.py)

    • Webhook sends unsigned POST with event JSON body
    • Admin endpoints require SigV4 auth -- unsigned request rejected
    • "Confused deputy" via self-referencing does NOT work
  2. Protocol smuggling via non-HTTP targets

    • Only 2 target types implemented: webhook and MQTT (event.rs:613 enforces this)
    • No Redis, Kafka, AMQP, or other protocol targets exist
    • CRLF injection in webhook config fields sanitized by reqwest
    • MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection
  3. MQTT target for RCE

    • No unsafe code in MQTT handler
    • rumqttc 0.29.0 has no known public CVEs
    • No Command::new, template engines, or deserialization of broker responses
  4. Unauth access

    • Endpoints correctly reject unauthenticated requests (403)
    • Endpoints correctly reject invalid credentials (403)

Prior Art

No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:

  • CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file
  • CVE-2026-22043 (deny_only short-circuit) -- different bug class

Koda Reef

Patch

This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

Impact

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-40937 has a CVSS score of 8.3 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

rustfs (<= 0.0.2)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add validate_admin_request calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.

Frequently Asked Questions

  1. What is CVE-2026-40937? CVE-2026-40937 is a high-severity missing authorization vulnerability in rustfs (rust), affecting versions <= 0.0.2. No fixed version is listed yet. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-40937? CVE-2026-40937 has a CVSS score of 8.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of rustfs are affected by CVE-2026-40937? rustfs (rust) versions <= 0.0.2 is affected.
  4. Is there a fix for CVE-2026-40937? No fixed version is listed for CVE-2026-40937 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-40937 exploitable, and should I be worried? Whether CVE-2026-40937 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40937 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40937? No fixed version is listed yet. In the interim: Keep the dependency up to date. Ensure authorization checks are enforced consistently on all sensitive operations.

Other vulnerabilities in rustfs

CVE-2026-40937CVE-2026-27822CVE-2026-27607CVE-2026-24762CVE-2026-21862

Stop the waste.
Protect your environment with Kodem.