Skip to main content

Redis CVE-2026-40937

| EUVDEUVD-2026-25092 HIGH
Missing Authorization (CWE-862)
2026-04-22 https://github.com/rustfs/rustfs GHSA-pfcq-4gjr-6gjm
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 13:22 vuln.today
cvss_changed
Patch released
Apr 24, 2026 - 13:12 nvd
Patch available
Patch available
Apr 22, 2026 - 22:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 19:31 euvd
EUVD-2026-25092
Analysis Generated
Apr 22, 2026 - 19:31 vuln.today
CVE Published
Apr 22, 2026 - 19:24 nvd
HIGH 8.3

DescriptionGitHub Advisory

Missing Admin Auth on Notification Target Endpoints in RustFS

Finding Summary

All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.

A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.

What Was Proven Live

  1. Authorization bypass on all four endpoints (03_readonly_user_bypass.py)
  • PUT, GET list, GET arns, DELETE all return 200 for readonly-user
  • Control routes (list-users, kms/status) correctly return 403
  • Unauthenticated requests correctly rejected (403 Signature required)
  1. SSRF via health probe (04_ssrf_listener_landing.py)
  • HEAD request from rustfs container to attacker-controlled listener
  • No host validation: only scheme check (http/https)
  1. Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)
  • Readonly-user overwrites admin-configured target URL by name
  • Subsequent S3 events delivered to attacker-controlled endpoint
  • Captured event body includes object keys, bucket names, user identities, and request metadata
  1. Audit evasion (05_target_hijacking.py)
  • Readonly-user can delete unbound targets
  • Readonly-user can overwrite bound targets (silently redirecting events)

Escalation Vectors Tested But Not Viable

  1. Self-referencing webhook to admin API (13_self_referencing_test.py)
  • Webhook sends unsigned POST with event JSON body
  • Admin endpoints require SigV4 auth -- unsigned request rejected
  • "Confused deputy" via self-referencing does NOT work
  1. Protocol smuggling via non-HTTP targets
  • Only 2 target types implemented: webhook and MQTT (event.rs:613 enforces this)
  • No Redis, Kafka, AMQP, or other protocol targets exist
  • CRLF injection in webhook config fields sanitized by reqwest
  • MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection
  1. MQTT target for RCE
  • No unsafe code in MQTT handler
  • rumqttc 0.29.0 has no known public CVEs
  • No Command::new, template engines, or deserialization of broker responses
  1. Unauth access
  • Endpoints correctly reject unauthenticated requests (403)
  • Endpoints correctly reject invalid credentials (403)

Prior Art

No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:

  • CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file
  • CVE-2026-22043 (deny_only short-circuit) -- different bug class

Recommendation

Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add validate_admin_request calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.

Koda Reef

Patch

This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

Analysis

Missing Admin Auth on Notification Target Endpoints in RustFS

Finding Summary

All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.

A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.

What Was Proven Live

  1. Authorization bypass on all four endpoints (03_readonly_user_bypass.py)
  • PUT, GET list, GET arns, DELETE all return 200 for readonly-user
  • Control routes (list-users, kms/status) correctly return 403
  • Unauthenticated requests correctly rejected (403 Signature required)
  1. SSRF via health probe (04_ssrf_listener_landing.py)
  • HEAD request from rustfs container to attacker-controlled listener
  • No host validation: only scheme check (http/https)
  1. Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)
  • Readonly-user overwrites admin-configured target URL by name
  • Subsequent S3 events delivered to attacker-controlled endpoint
  • Captured event body includes object keys, bucket names, user identities, and request metadata
  1. Audit evasion (05_target_hijacking.py)
  • Readonly-user can delete unbound targets
  • Readonly-user can overwrite bound targets (silently redirecting events)

Escalation Vectors Tested But Not Viable

  1. Self-referencing webhook to admin API (13_self_referencing_test.py)
  • Webhook sends unsigned POST with event JSON body
  • Admin endpoints require SigV4 auth -- unsigned request rejected
  • "Confused deputy" via self-referencing does NOT work
  1. Protocol smuggling via non-HTTP targets
  • Only 2 target types implemented: webhook and MQTT (event.rs:613 enforces this)
  • No Redis, Kafka, AMQP, or other protocol targets exist
  • CRLF injection in webhook config fields sanitized by reqwest
  • MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection
  1. MQTT target for RCE
  • No unsafe code in MQTT handler
  • rumqttc 0.29.0 has no known public CVEs
  • No Command::new, template engines, or deserialization of broker responses
  1. Unauth access
  • Endpoints correctly reject unauthenticated requests (403)
  • Endpoints correctly reject invalid credentials (403)

Prior Art

No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:

  • CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file
  • CVE-2026-22043 (deny_only short-circuit) -- different bug class

Recommendation

Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add validate_admin_request calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.

Koda Reef

Patch

This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Missing Authorization (CWE-862).

RemediationAI

A vendor patch is available — apply it immediately. Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-40937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy