Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name. PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate based solely on the presence of the Authorization header. Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the Authorization header and supplies credentials exclusively via the query string. The signature gate evaluates to false, doesSignatureMatch is never called, and the request proceeds with the permissions of the impersonated access key. This affects PutObjectHandler (standard and tables/warehouse bucket paths) and PutObjectPartHandler (multipart uploads). Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
AnalysisAI
Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.
Technical ContextAI
MinIO is an S3-compatible high-performance object storage system written in Go. This vulnerability exploits a logic error in how MinIO handles AWS Signature Version 4 streaming requests with unsigned payload trailers. The flaw exists in the interaction between two handler functions: PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate that checks only for the presence of the Authorization HTTP header, while isPutActionAllowed extracts credentials from either the Authorization header OR the X-Amz-Credential query parameter. By omitting the Authorization header and providing credentials exclusively via query string parameters, attackers bypass the signature verification gate entirely-doesSignatureMatch is never invoked-yet the request proceeds with the permissions of the supplied access key. This is a classic confused deputy problem (CWE-287: Improper Authentication) where different code paths use inconsistent credential extraction and validation logic.
RemediationAI
Upgrade immediately to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later, which contains the fix implemented in GitHub commit 76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091 (pull request #16484 available at https://github.com/minio/minio/pull/16484). If immediate patching is not feasible, implement one of these compensating controls: (1) Block unsigned-trailer requests at the load balancer or reverse proxy by rejecting any HTTP request containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'-this prevents exploitation but may break legitimate clients using unsigned trailers (clients should migrate to STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER signed variant); (2) Restrict s3:PutObject IAM permissions to only trusted principals and rotate or disable the default 'minioadmin' access key-this reduces attack surface but does not eliminate the vulnerability since any remaining user with WRITE permission can still exploit it. The first workaround is more effective but requires infrastructure changes; the second is partial mitigation only. Organizations should prioritize patching over workarounds given the authentication bypass severity.
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C
MinIO is a High Performance Object Storage released under Apache License v2.0. Rated high severity (CVSS 7.7), this vuln
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
MinIO is a multi-cloud object storage solution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Minio is a Multi-Cloud Object Storage framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se
Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthent
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
MinIO is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remote
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24581
GHSA-hv4r-mvr4-25vw