Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Missing Admin Auth on Notification Target Endpoints in RustFS
Finding Summary
All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.
A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.
What Was Proven Live
- Authorization bypass on all four endpoints (03_readonly_user_bypass.py)
- PUT, GET list, GET arns, DELETE all return 200 for readonly-user
- Control routes (list-users, kms/status) correctly return 403
- Unauthenticated requests correctly rejected (403 Signature required)
- SSRF via health probe (04_ssrf_listener_landing.py)
- HEAD request from rustfs container to attacker-controlled listener
- No host validation: only scheme check (http/https)
- Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)
- Readonly-user overwrites admin-configured target URL by name
- Subsequent S3 events delivered to attacker-controlled endpoint
- Captured event body includes object keys, bucket names, user identities, and request metadata
- Audit evasion (05_target_hijacking.py)
- Readonly-user can delete unbound targets
- Readonly-user can overwrite bound targets (silently redirecting events)
Escalation Vectors Tested But Not Viable
- Self-referencing webhook to admin API (13_self_referencing_test.py)
- Webhook sends unsigned POST with event JSON body
- Admin endpoints require SigV4 auth -- unsigned request rejected
- "Confused deputy" via self-referencing does NOT work
- Protocol smuggling via non-HTTP targets
- Only 2 target types implemented: webhook and MQTT (
event.rs:613enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist
- CRLF injection in webhook config fields sanitized by reqwest
- MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection
- MQTT target for RCE
- No unsafe code in MQTT handler
- rumqttc 0.29.0 has no known public CVEs
- No Command::new, template engines, or deserialization of broker responses
- Unauth access
- Endpoints correctly reject unauthenticated requests (403)
- Endpoints correctly reject invalid credentials (403)
Prior Art
No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:
- CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file
- CVE-2026-22043 (deny_only short-circuit) -- different bug class
Recommendation
Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add validate_admin_request calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.
Koda Reef
Patch
This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.
Analysis
Missing Admin Auth on Notification Target Endpoints in RustFS
Finding Summary
All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.
A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.
What Was Proven Live
- Authorization bypass on all four endpoints (03_readonly_user_bypass.py)
- PUT, GET list, GET arns, DELETE all return 200 for readonly-user
- Control routes (list-users, kms/status) correctly return 403
- Unauthenticated requests correctly rejected (403 Signature required)
- SSRF via health probe (04_ssrf_listener_landing.py)
- HEAD request from rustfs container to attacker-controlled listener
- No host validation: only scheme check (http/https)
- Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)
- Readonly-user overwrites admin-configured target URL by name
- Subsequent S3 events delivered to attacker-controlled endpoint
- Captured event body includes object keys, bucket names, user identities, and request metadata
- Audit evasion (05_target_hijacking.py)
- Readonly-user can delete unbound targets
- Readonly-user can overwrite bound targets (silently redirecting events)
Escalation Vectors Tested But Not Viable
- Self-referencing webhook to admin API (13_self_referencing_test.py)
- Webhook sends unsigned POST with event JSON body
- Admin endpoints require SigV4 auth -- unsigned request rejected
- "Confused deputy" via self-referencing does NOT work
- Protocol smuggling via non-HTTP targets
- Only 2 target types implemented: webhook and MQTT (
event.rs:613enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist
- CRLF injection in webhook config fields sanitized by reqwest
- MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection
- MQTT target for RCE
- No unsafe code in MQTT handler
- rumqttc 0.29.0 has no known public CVEs
- No Command::new, template engines, or deserialization of broker responses
- Unauth access
- Endpoints correctly reject unauthenticated requests (403)
- Endpoints correctly reject invalid credentials (403)
Prior Art
No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:
- CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file
- CVE-2026-22043 (deny_only short-circuit) -- different bug class
Recommendation
Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add validate_admin_request calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.
Koda Reef
Patch
This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.
Technical ContextAI
Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Missing Authorization (CWE-862).
RemediationAI
A vendor patch is available — apply it immediately. Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-862 – Missing Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25092
GHSA-pfcq-4gjr-6gjm