A newly disclosed vulnerability in RustFS, the Rust-based distributed object storage system, allows any low-privileged authenticated user to silently hijack admin-configured event notification webhooks, redirect S3 bucket events to attacker-controlled infrastructure, and evade audit logging, all without requiring administrator credentials.
The flaw carries a CVSS 3.1 score of 8.5 (High) despite being labeled “Moderate” in the advisory severity tier with a network-accessible attack vector, low privileges required, and no user interaction needed.
The vulnerability resides in rustfs/src/admin/handlers/event.rs and affects all RustFS deployments running version ≤ 1.0.0-alpha.93.
CVE-2026-40937: RustFS Webhook Hijack
The root cause is a missing authorization gate. All four notification target admin API endpoints responsible for creating, reading, listing, and deleting webhook/MQTT notification targets use only a check_permissions helper that validates an access key and session token (authentication), but never invokes validate_admin_request with AdminAction (authorization).
Every other admin handler in the RustFS codebase correctly calls validate_admin_request; the event handler file is the singular exception.
This is classified under CWE-862: Missing Authorization “, the product does not perform an authorization check when an actor attempts to access a resource or perform an action”.
Technical Attack Chain
Security researchers provided live proof-of-concept scripts demonstrating a complete exploit chain across four attack stages:
- Authorization bypass (
03_readonly_user_bypass.py): A read-only user sends PUT, GET list, GET ARNs, and DELETE requests to the notification target endpoints. All four return HTTP 200. - Control endpoints like
list-usersandkms/statuscorrectly return 403, confirming the bypass is specific to the event handler file. - SSRF via health probe (
04_ssrf_listener_landing.py): The notification target health-check mechanism issues a HEAD request from the RustFS container to any attacker-specified URL. - Host validation is absent; only the URL scheme (http/https) is checked, leaving the server vulnerable to Server-Side Request Forgery (SSRF) against internal network ranges.
- Target hijacking and event exfiltration (
05_target_hijacking.py,06_full_event_exfil.py): The read-only user overwrites an existing admin-configured webhook target by name. - All subsequent S3 bucket events are delivered to the attacker-controlled endpoint. Captured event payloads contain object keys, bucket names, user identities, and full request metadata, exposing cross-tenant activity in multi-user deployments.
- Audit evasion: Because a read-only user can silently delete unbound targets or overwrite bound ones without triggering any privileged action log, the interception leaves no forensic trail.
Unauthenticated requests are correctly rejected with 403, and the researcher confirmed that “confused deputy” self-referencing webhooks do not work because admin endpoints enforce SigV4 authentication on inbound POSTs.
RustFS has accumulated a notable vulnerability history in recent months. The closely related CVE-2026-22042 (GHSA-vcwh-pff9-64cc) involved an ImportIam handler using the wrong AdminAction constant in the same bug class (incorrect or missing authorization), just in a different file.
CVE-2026-22043 addressed a deny_only short-circuit that allowed service accounts to self-issue unrestricted credentials. Earlier in 2026, a stored XSS flaw in the RustFS Console (CVE-2026-27822) exposed admin S3 credentials, including AccessKeyId, SecretAccessKey, and SessionToken.
A hardcoded gRPC static token (CVE-2025-68926) allowed any network-adjacent attacker to perform data destruction and policy manipulation.
The pattern is consistent: authorization and credential hygiene in admin API paths remain a systemic weakness across the RustFS codebase.
Patch and Remediation
Published on April 22, 2026, via GitHub Security Advisory GHSA-pfcq-4gjr-6gjm and assigned CVE-2026-40937, the vulnerability was patched in RustFS version 1.0.0-alpha.94 via pull request #2508, which enforces proper event and audit target authentication by adding validate_admin_request calls to all four handlers in event.rs. Organizations running RustFS in production or staging environments should upgrade immediately.
Operators who cannot immediately patch should consider:
- Network-level ACLs to restrict admin API access to trusted IP ranges only
- Audit log review for anomalous PUT/DELETE activity on notification target endpoints
- Webhook target inventory checks to verify no attacker-controlled URLs are registered as notification targets
- Monitoring outbound HEAD requests from the RustFS container for unexpected external endpoints indicating SSRF probing
In multi-tenant S3 environments, the impact is severe. An attacker with any valid low-privilege credential can silently redirect all bucket event notifications, including object creation, deletion, and access events, to external infrastructure.
Combined with the SSRF capability, this creates a dual threat: data exfiltration of operational metadata and internal network reconnaissance, all without leaving an audit trail.
FAQ
Q1: What is CVE-2026-40937?
CVE-2026-40937 is a Missing Authorization flaw (CWE-862) in RustFS ≤ 1.0.0-alpha.93 that lets any authenticated low-privilege user hijack admin event webhook targets, exfiltrate S3 bucket event data, and evade audit logging.
Q2: Which RustFS versions are affected, and what is the fix?
All versions up to and including 1.0.0-alpha.93 are vulnerable; upgrading to 1.0.0-alpha.94, which adds validate_admin_request enforcement to the event handler, fully remediates the issue.
Q3: Can unauthenticated attackers exploit CVE-2026-40937?
No, the endpoints correctly reject unauthenticated and invalid-credential requests with 403; exploitation requires a valid (but low-privilege) access key and session token.
Q4: What data is exposed when a notification target is hijacked?
Captured S3 event payloads include object keys, bucket names, user identities, and request metadata, enabling the attacker to intercept cross-user events and gather operational intelligence.
Site: thecybrdef.com
About the Author
