Description

RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks

Missing Admin Auth on Notification Target Endpoints in RustFS

Finding Summary

All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.

A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.

What Was Proven Live

Authorization bypass on all four endpoints (03_readonly_user_bypass.py)

PUT, GET list, GET arns, DELETE all return 200 for readonly-user

Control routes (list-users, kms/status) correctly return 403

Unauthenticated requests correctly rejected (403 Signature required)

SSRF via health probe (04_ssrf_listener_landing.py)

HEAD request from rustfs container to attacker-controlled listener

No host validation: only scheme check (http/https)

Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)

Readonly-user overwrites admin-configured target URL by name

Subsequent S3 events delivered to attacker-controlled endpoint

Captured event body includes object keys, bucket names, user identities, and request metadata

Audit evasion (05_target_hijacking.py)

Readonly-user can delete unbound targets

Readonly-user can overwrite bound targets (silently redirecting events)

Escalation Vectors Tested But Not Viable

Self-referencing webhook to admin API (13_self_referencing_test.py)

Webhook sends unsigned POST with event JSON body

Admin endpoints require SigV4 auth -- unsigned request rejected

"Confused deputy" via self-referencing does NOT work

Protocol smuggling via non-HTTP targets

Only 2 target types implemented: webhook and MQTT (event.rs:613 enforces this)

No Redis, Kafka, AMQP, or other protocol targets exist

CRLF injection in webhook config fields sanitized by reqwest

MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection

MQTT target for RCE

No unsafe code in MQTT handler

rumqttc 0.29.0 has no known public CVEs

No Command::new, template engines, or deserialization of broker responses

Unauth access

Endpoints correctly reject unauthenticated requests (403)

Endpoints correctly reject invalid credentials (403)

Prior Art

No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:

CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file

CVE-2026-22043 (deny_only short-circuit) -- different bug class

Recommendation

Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add validate_admin_request calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.

Koda Reef

Patch

This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

Mitigation

Aliases

References