Skip to main content

MinIO CVE-2026-40344

| EUVDEUVD-2026-24579 HIGH
Improper Authentication (CWE-287)
2026-04-22 GitHub_M GHSA-9c4q-hq6p-c237
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 03:23 vuln.today
CVSS changed
Apr 22, 2026 - 01:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 01:00 euvd
EUVD-2026-24579
Analysis Generated
Apr 22, 2026 - 01:00 vuln.today
CVE Published
Apr 22, 2026 - 00:49 nvd
HIGH 8.8

DescriptionGitHub Advisory

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (PutObjectExtractHandler) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name. When authTypeStreamingUnsignedTrailer support was added, the new auth type was handled in PutObjectHandler and PutObjectPartHandler but was never added to PutObjectExtractHandler. The snowball auto-extract handler's switch rAuthType block has no case for authTypeStreamingUnsignedTrailer, so execution falls through with zero signature verification. The isPutActionAllowed call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

AnalysisAI

Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.

Technical ContextAI

MinIO's Snowball auto-extract feature allows bulk import of objects via S3 PutObject requests containing tar archives, triggered by the X-Amz-Meta-Snowball-Auto-Extract header. The vulnerability stems from incomplete handling of AWS Signature Version 4 authentication types (CWE-287: Improper Authentication). When MinIO added support for authTypeStreamingUnsignedTrailer in standard PutObject handlers, the implementation failed to include this auth type in PutObjectExtractHandler's authentication switch statement. The handler performs IAM permission checks via isPutActionAllowed (verifying the access key has WRITE permission) but then falls through the auth type switch without cryptographic signature validation when STREAMING-UNSIGNED-PAYLOAD-TRAILER is specified. This creates a logic flaw where authorization (checking who you claim to be has permission) succeeds but authentication (verifying you are who you claim to be) is skipped entirely. Affected products per CPE: cpe:2.3:a:minio:minio from RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z.

RemediationAI

Primary fix: Upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later immediately, as confirmed by vendor advisory GHSA-9c4q-hq6p-c237 (https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237). The patch adds authTypeStreamingUnsignedTrailer validation to PutObjectExtractHandler per commit 76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091. If immediate upgrade is not feasible, implement one of these compensating controls: (1) Block unsigned-trailer requests at perimeter - configure reverse proxy, WAF, or load balancer to reject any HTTP request containing header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'. This prevents exploitation but may break legitimate clients using unsigned streaming uploads; verify no production workloads require this feature before deployment. (2) Enforce signed variant - reconfigure S3 clients to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the cryptographically signed streaming mode) instead of the unsigned variant. Requires client-side changes and secret key distribution. (3) Restrictive IAM policies - limit s3:PutObject grants to only highly trusted service principals and remove WRITE permissions from any potentially compromised or default keys like 'minioadmin'. Critical: This mitigation only reduces attack surface and does NOT eliminate the vulnerability; any remaining key with WRITE permission can still exploit the flaw. Change default 'minioadmin' credentials immediately regardless of other mitigations. Trade-offs: Perimeter blocking is most effective but may impact legitimate unsigned uploads; IAM restriction requires operational overhead and still leaves residual risk.

More in Minio

View all
CVE-2023-28434 HIGH POC
8.8 Mar 22

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2023-25812 HIGH POC
8.8 Feb 21

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2022-24842 HIGH POC
8.8 Apr 12

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C

CVE-2021-21287 HIGH POC
7.7 Feb 01

MinIO is a High Performance Object Storage released under Apache License v2.0. Rated high severity (CVSS 7.7), this vuln

CVE-2023-28432 HIGH POC
7.5 Mar 22

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2022-31028 HIGH POC
7.5 Jun 07

MinIO is a multi-cloud object storage solution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2023-27589 MEDIUM POC
6.5 Mar 14

Minio is a Multi-Cloud Object Storage framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2021-21362 MEDIUM POC
6.5 Mar 08

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se

CVE-2021-21390 MEDIUM POC
5.9 Mar 19

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se

CVE-2026-41145 HIGH
8.8 Apr 22

Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using onl

CVE-2023-28433 HIGH
8.8 Mar 22

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2021-43858 HIGH
8.8 Dec 27

MinIO is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remote

Share

CVE-2026-40344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy