CVE-2026-40937

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.94

Description Four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check permissions helper that validates authentication but fails to perform admin-action authorization via validate admin request(). This allows a non-admin user to overwrite a shared admin-defined notification target by name, enabling the interception of bucket events and audit evasion by redirecting data to an attacker-controlled endpoint.

Recommendations Update to version 1.0.0-alpha.94.