Skip to main content

MinIO CVE-2026-41145

| EUVDEUVD-2026-24581 HIGH
Improper Authentication (CWE-287)
2026-04-22 GitHub_M GHSA-hv4r-mvr4-25vw
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 03:23 vuln.today
CVSS changed
Apr 22, 2026 - 01:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 01:00 euvd
EUVD-2026-24581
Analysis Generated
Apr 22, 2026 - 01:00 vuln.today
CVE Published
Apr 22, 2026 - 00:54 nvd
HIGH 8.8

DescriptionGitHub Advisory

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name. PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate based solely on the presence of the Authorization header. Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the Authorization header and supplies credentials exclusively via the query string. The signature gate evaluates to false, doesSignatureMatch is never called, and the request proceeds with the permissions of the impersonated access key. This affects PutObjectHandler (standard and tables/warehouse bucket paths) and PutObjectPartHandler (multipart uploads). Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

AnalysisAI

Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.

Technical ContextAI

MinIO is an S3-compatible high-performance object storage system written in Go. This vulnerability exploits a logic error in how MinIO handles AWS Signature Version 4 streaming requests with unsigned payload trailers. The flaw exists in the interaction between two handler functions: PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate that checks only for the presence of the Authorization HTTP header, while isPutActionAllowed extracts credentials from either the Authorization header OR the X-Amz-Credential query parameter. By omitting the Authorization header and providing credentials exclusively via query string parameters, attackers bypass the signature verification gate entirely-doesSignatureMatch is never invoked-yet the request proceeds with the permissions of the supplied access key. This is a classic confused deputy problem (CWE-287: Improper Authentication) where different code paths use inconsistent credential extraction and validation logic.

RemediationAI

Upgrade immediately to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later, which contains the fix implemented in GitHub commit 76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091 (pull request #16484 available at https://github.com/minio/minio/pull/16484). If immediate patching is not feasible, implement one of these compensating controls: (1) Block unsigned-trailer requests at the load balancer or reverse proxy by rejecting any HTTP request containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'-this prevents exploitation but may break legitimate clients using unsigned trailers (clients should migrate to STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER signed variant); (2) Restrict s3:PutObject IAM permissions to only trusted principals and rotate or disable the default 'minioadmin' access key-this reduces attack surface but does not eliminate the vulnerability since any remaining user with WRITE permission can still exploit it. The first workaround is more effective but requires infrastructure changes; the second is partial mitigation only. Organizations should prioritize patching over workarounds given the authentication bypass severity.

More in Minio

View all
CVE-2023-28434 HIGH POC
8.8 Mar 22

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2023-25812 HIGH POC
8.8 Feb 21

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2022-24842 HIGH POC
8.8 Apr 12

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C

CVE-2021-21287 HIGH POC
7.7 Feb 01

MinIO is a High Performance Object Storage released under Apache License v2.0. Rated high severity (CVSS 7.7), this vuln

CVE-2023-28432 HIGH POC
7.5 Mar 22

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2022-31028 HIGH POC
7.5 Jun 07

MinIO is a multi-cloud object storage solution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2023-27589 MEDIUM POC
6.5 Mar 14

Minio is a Multi-Cloud Object Storage framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2021-21362 MEDIUM POC
6.5 Mar 08

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se

CVE-2021-21390 MEDIUM POC
5.9 Mar 19

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se

CVE-2026-40344 HIGH
8.8 Apr 22

Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthent

CVE-2023-28433 HIGH
8.8 Mar 22

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2021-43858 HIGH
8.8 Dec 27

MinIO is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remote

Share

CVE-2026-41145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy