RustFS is a distributed object storage system written in Rust. A grant‑of permission flaw in the notification target admin API endpoints allows a user who holds normal authentication credentials to overwrite a shared, admin‑defined notification target. The attacker then redirects bucket events to a malicious webhook, intercepting events for other users and avoiding audit detection. This flaw is an authority control weakness (CWE‑862) that can compromise confidentiality of event data and disrupt audit logs.

The vulnerability affects RustFS as supplied by the RustFS vendor. Versions prior to 1.0.0‑alpha.94 expose the four notification target admin API endpoints without proper admin‑action authorization. The affected product is rustfs:rustfs; any deployment running a pre‑1.0.0‑alpha.94 build is potentially at risk.

The CVSS score of 8.3 indicates a high severity. No EPSS scoring is available but the flaw can be exploited by any authenticated non‑admin user who can reach the admin API endpoints, which are typically exposed on the same host as the storage service. The vulnerability is not publicly listed in the CISA KEV catalog, yet the lack of admin authorization makes it an easy vector for cross‑user data exfiltration and audit evasion.