Home / Vulnerability Intelligence / CVE-2026-40937

CVE-2026-40937 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: April 22, 2026

RustFS - Broken Access Control

Published: April 22, 2026Updated: April 22, 2026Remote Exploitable

Overview

RustFS < 1.0.0-alpha.94 contains a broken access control caused by missing admin-action authorization in notification target admin API endpoints, letting non-admin users overwrite shared notification targets, enabling event interception and audit evasion, exploit requires non-admin user access.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Non-admin users can intercept events and evade audits by overwriting shared notification targets, compromising event integrity and confidentiality.

Mitigation

Update to version 1.0.0-alpha.94 or later.

References

https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94
https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40937
Severity: High
CVSS Score: 8.3
Type: broken_access_control
Status: unconfirmed

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L