Skip to main content

MinIO CVE-2026-42600

MEDIUM
Path Traversal (CWE-22)
2026-05-05 https://github.com/minio/minio GHSA-xh8f-g2qw-gcm7
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 22:37 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 21:01 vuln.today
Analysis Generated
May 05, 2026 - 21:01 vuln.today

DescriptionGitHub Advisory

Impact

_What kind of vulnerability is it? Who is impacted?_

A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID.

Distributed-erasure (multi-node) MinIO deployments are impacted. Single-node standalone deployments do not register the route and are not affected. The attack requires an HS512 JWT signed with MINIO_ROOT_PASSWORD and carrying accessKey = MINIO_ROOT_USER - the same secret every peer in the cluster holds to authenticate internode traffic, so a compromised peer or any actor in possession of the root credential can mint one.

The ReadMultiple handler (cmd/storage-rest-server.go) decodes a msgpack ReadMultipleReq body containing Bucket, Prefix, and Files fields and forwards them to xlStorage.ReadMultiple (cmd/xl-storage.go) without validation:

go
volumeDir := pathJoin(s.drivePath, req.Bucket)          // traversal resolves here
for _, f := range req.Files {
    fullPath := pathJoin(volumeDir, req.Prefix, f)
    data, mt, err = s.readAllDataWithDMTime(ctx, req.Bucket, volumeDir, fullPath)
}

pathJoin calls path.Clean, which resolves .. components and produces an absolute path anywhere on the filesystem - it is not a root jail. The global setRequestValidityMiddleware rejects .. in r.URL.Path and r.Form but does not inspect request bodies, so msgpack-encoded traversal bypasses it. Sibling storage methods (StatInfoFile, ReadFileHandler, ReadVersion) validate their volume argument through s.getVolDir(volume), which rejects ..; ReadMultiple skips this call.

The attacker sends POST /minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream.

Impact by deployment:

  • Bare-metal with User=minio in the systemd unit - the O_NOATIME

ownership check bounds the read to files owned by the MinIO UID. Reachable secrets include TLS private keys, KMS/KES key material, systemd credentials, and data belonging to other tenants sharing the same UID on the host. Secrets leaked this way persist across cluster credential rotation.

  • Containerized running as UID 0 (the historical default for the official

Docker image, docker-compose examples, and Helm charts without securityContext.runAsNonRoot) - the primitive escalates to arbitrary host-filesystem disclosure: /etc/shadow, /root/**, Kubernetes service-account tokens, cloud-init metadata caches.

Affected components: cmd/storage-rest-server.go (ReadMultiple handler), cmd/xl-storage.go (xlStorage.ReadMultiple).

CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory

  • 'Path Traversal')

CVSS v4.0 Score: 6.9 (Medium)

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Versions

All MinIO releases from RELEASE.2022-07-24T01-54-52Z through the final release of the minio/minio open-source project, RELEASE.2025-09-07T16-13-09Z.

The vulnerability was introduced in commit f939d1c18 ("Independent Multipart Uploads", PR #15346), which added the ReadMultiple storage-REST endpoint as part of the multipart upload redesign. The first affected release is RELEASE.2022-07-24T01-54-52Z.

Patches

Fixed in: MinIO AIStor RELEASE.2026-04-14T21-32-45Z (recommended upgrade target). The fix - which removed the ReadMultiple handler, the corresponding storage-driver method, the msgpack datatypes, the REST-client wrapper, and the route registration - first shipped in MinIO AIStor RELEASE.2024-10-23T19-38-07Z. Every AIStor release from RELEASE.2024-10-23T19-38-07Z onward is unaffected; users should upgrade to RELEASE.2026-04-14T21-32-45Z or later to pick up the accumulated fixes and improvements shipped since.

Binary Downloads
PlatformArchitectureDownload
Linuxamd64minio
Linuxarm64minio
macOSarm64minio
macOSamd64minio
Windowsamd64minio.exe
FIPS Binaries
PlatformArchitectureDownload
Linuxamd64minio.fips
Linuxarm64minio.fips
Package Downloads
Container Images
bash
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips
Homebrew (macOS)
bash
brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

  • Rotate the root credential and restrict who holds it. The exploit

requires a JWT signed with MINIO_ROOT_PASSWORD. Treat the root credential as the host-filesystem disclosure primitive that it is: rotate it after any suspected exposure, store it only in the secret manager that bootstraps the cluster, and do not hand it to applications or operators who only need object-level access.

  • Do not run the MinIO container as UID 0. Set

securityContext.runAsNonRoot: true (and a non-zero runAsUser) in Kubernetes manifests, or add --user to docker run. This reduces the blast radius from arbitrary host-filesystem disclosure to MinIO-UID-owned files only.

  • Restrict the internode storage-REST port at the network layer. In

distributed deployments, the storage-REST route is served on the same port as the S3 API by default. Where feasible, use --internode-port to expose internode traffic on a separate interface reachable only from other cluster peers, and block that interface from client networks.

Credits

  • Finders: Discovered by Claude, Anthropic's AI assistant, and triaged by

Adrian Denkiewicz at Doyensec in collaboration with Anthropic Research.

Resources

(PR #15346)

AnalysisAI

Path traversal in MinIO's ReadMultiple internode storage-REST endpoint allows authenticated cluster peers or root-credential holders to read arbitrary files from the host filesystem outside configured drive roots. Distributed-erasure (multi-node) deployments are affected; single-node standalone deployments are not. The vulnerability exists in all releases from RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z and has been fixed as of MinIO AIStor RELEASE.2024-10-23T19-38-07Z (with security patch RELEASE.2026-04-14T21-32-45Z recommended). No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability stems from insufficient input validation in the ReadMultiple handler (cmd/storage-rest-server.go), which accepts msgpack-encoded request bodies containing Bucket, Prefix, and Files fields. These fields are passed to xlStorage.ReadMultiple without validation, then concatenated using pathJoin (which calls path.Clean). The path.Clean function resolves '..' components to produce arbitrary absolute paths on the filesystem but does not enforce a root jail. This bypasses the global setRequestValidityMiddleware, which only inspects URL paths and form data, not request bodies. Sibling storage methods like StatInfoFile and ReadFileHandler properly validate volume arguments through s.getVolDir(volume), which rejects '..' sequences; ReadMultiple uniquely omits this validation. The vulnerability was introduced in commit f939d1c18 (PR #15346) when the ReadMultiple endpoint was added as part of the multipart upload redesign. File access uses os.OpenFile with O_RDONLY|O_NOATIME flags, with disclosure bounded by the MinIO process UID (on bare-metal) or unrestricted (when running as UID 0 in containers).

RemediationAI

Vendor-released patch: MinIO AIStor RELEASE.2026-04-14T21-32-45Z or later (recommended upgrade target); the vulnerable ReadMultiple handler was first removed in MinIO AIStor RELEASE.2024-10-23T19-38-07Z. All AIStor releases from RELEASE.2024-10-23T19-38-07Z onward are unaffected. Binary downloads, DEB/RPM packages, and container images (including FIPS variants) are available at https://dl.min.io/aistor/minio/release/. Homebrew: brew install minio/aistor/minio. If immediate upgrade is not feasible, implement the following mitigations in order of impact: (1) Rotate the root credential (MINIO_ROOT_PASSWORD) immediately and restrict access-treat it as a host-filesystem disclosure primitive and store only in the secret manager bootstrapping the cluster. (2) For containerized deployments, set securityContext.runAsNonRoot: true with a non-zero runAsUser in Kubernetes manifests, or add --user to docker run commands. This reduces host-filesystem disclosure to MinIO-UID-owned files only, preventing /etc/shadow and Kubernetes service-account token leakage. (3) Restrict the internode storage-REST port at the network layer: use --internode-port to expose internode traffic on a separate interface reachable only from cluster peers, not from client networks. Note that the storage-REST route shares the S3 API port by default, so isolation requires explicit port separation. These mitigations provide defense-in-depth but do not eliminate the vulnerability; upgrade to RELEASE.2026-04-14T21-32-45Z or later remains the primary remediation. See https://github.com/minio/minio/security/advisories/GHSA-xh8f-g2qw-gcm7 for official advisory and https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/ for upgrade instructions.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-42600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy