MinIO CVE-2026-42600
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
_What kind of vulnerability is it? Who is impacted?_
A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID.
Distributed-erasure (multi-node) MinIO deployments are impacted. Single-node standalone deployments do not register the route and are not affected. The attack requires an HS512 JWT signed with MINIO_ROOT_PASSWORD and carrying accessKey = MINIO_ROOT_USER - the same secret every peer in the cluster holds to authenticate internode traffic, so a compromised peer or any actor in possession of the root credential can mint one.
The ReadMultiple handler (cmd/storage-rest-server.go) decodes a msgpack ReadMultipleReq body containing Bucket, Prefix, and Files fields and forwards them to xlStorage.ReadMultiple (cmd/xl-storage.go) without validation:
volumeDir := pathJoin(s.drivePath, req.Bucket) // traversal resolves here
for _, f := range req.Files {
fullPath := pathJoin(volumeDir, req.Prefix, f)
data, mt, err = s.readAllDataWithDMTime(ctx, req.Bucket, volumeDir, fullPath)
}pathJoin calls path.Clean, which resolves .. components and produces an absolute path anywhere on the filesystem - it is not a root jail. The global setRequestValidityMiddleware rejects .. in r.URL.Path and r.Form but does not inspect request bodies, so msgpack-encoded traversal bypasses it. Sibling storage methods (StatInfoFile, ReadFileHandler, ReadVersion) validate their volume argument through s.getVolDir(volume), which rejects ..; ReadMultiple skips this call.
The attacker sends POST /minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream.
Impact by deployment:
- Bare-metal with
User=minioin the systemd unit - theO_NOATIME
ownership check bounds the read to files owned by the MinIO UID. Reachable secrets include TLS private keys, KMS/KES key material, systemd credentials, and data belonging to other tenants sharing the same UID on the host. Secrets leaked this way persist across cluster credential rotation.
- Containerized running as UID 0 (the historical default for the official
Docker image, docker-compose examples, and Helm charts without securityContext.runAsNonRoot) - the primitive escalates to arbitrary host-filesystem disclosure: /etc/shadow, /root/**, Kubernetes service-account tokens, cloud-init metadata caches.
Affected components: cmd/storage-rest-server.go (ReadMultiple handler), cmd/xl-storage.go (xlStorage.ReadMultiple).
CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory
- 'Path Traversal')
CVSS v4.0 Score: 6.9 (Medium)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Versions
All MinIO releases from RELEASE.2022-07-24T01-54-52Z through the final release of the minio/minio open-source project, RELEASE.2025-09-07T16-13-09Z.
The vulnerability was introduced in commit f939d1c18 ("Independent Multipart Uploads", PR #15346), which added the ReadMultiple storage-REST endpoint as part of the multipart upload redesign. The first affected release is RELEASE.2022-07-24T01-54-52Z.
Patches
Fixed in: MinIO AIStor RELEASE.2026-04-14T21-32-45Z (recommended upgrade target). The fix - which removed the ReadMultiple handler, the corresponding storage-driver method, the msgpack datatypes, the REST-client wrapper, and the route registration - first shipped in MinIO AIStor RELEASE.2024-10-23T19-38-07Z. Every AIStor release from RELEASE.2024-10-23T19-38-07Z onward is unaffected; users should upgrade to RELEASE.2026-04-14T21-32-45Z or later to pick up the accumulated fixes and improvements shipped since.
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260414213245.0.0_amd64.deb |
| DEB | arm64 | minio_20260414213245.0.0_arm64.deb |
| RPM | amd64 | minio-20260414213245.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260414213245.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fipsHomebrew (macOS)
brew install minio/aistor/minioWorkarounds
If upgrading is not immediately possible:
- Rotate the root credential and restrict who holds it. The exploit
requires a JWT signed with MINIO_ROOT_PASSWORD. Treat the root credential as the host-filesystem disclosure primitive that it is: rotate it after any suspected exposure, store it only in the secret manager that bootstraps the cluster, and do not hand it to applications or operators who only need object-level access.
- Do not run the MinIO container as UID 0. Set
securityContext.runAsNonRoot: true (and a non-zero runAsUser) in Kubernetes manifests, or add --user to docker run. This reduces the blast radius from arbitrary host-filesystem disclosure to MinIO-UID-owned files only.
- Restrict the internode storage-REST port at the network layer. In
distributed deployments, the storage-REST route is served on the same port as the S3 API by default. Where feasible, use --internode-port to expose internode traffic on a separate interface reachable only from other cluster peers, and block that interface from client networks.
Credits
- Finders: Discovered by Claude, Anthropic's AI assistant, and triaged by
Adrian Denkiewicz at Doyensec in collaboration with Anthropic Research.
Resources
- Introducing commit:
f939d1c18
AnalysisAI
Path traversal in MinIO's ReadMultiple internode storage-REST endpoint allows authenticated cluster peers or root-credential holders to read arbitrary files from the host filesystem outside configured drive roots. Distributed-erasure (multi-node) deployments are affected; single-node standalone deployments are not. The vulnerability exists in all releases from RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z and has been fixed as of MinIO AIStor RELEASE.2024-10-23T19-38-07Z (with security patch RELEASE.2026-04-14T21-32-45Z recommended). No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability stems from insufficient input validation in the ReadMultiple handler (cmd/storage-rest-server.go), which accepts msgpack-encoded request bodies containing Bucket, Prefix, and Files fields. These fields are passed to xlStorage.ReadMultiple without validation, then concatenated using pathJoin (which calls path.Clean). The path.Clean function resolves '..' components to produce arbitrary absolute paths on the filesystem but does not enforce a root jail. This bypasses the global setRequestValidityMiddleware, which only inspects URL paths and form data, not request bodies. Sibling storage methods like StatInfoFile and ReadFileHandler properly validate volume arguments through s.getVolDir(volume), which rejects '..' sequences; ReadMultiple uniquely omits this validation. The vulnerability was introduced in commit f939d1c18 (PR #15346) when the ReadMultiple endpoint was added as part of the multipart upload redesign. File access uses os.OpenFile with O_RDONLY|O_NOATIME flags, with disclosure bounded by the MinIO process UID (on bare-metal) or unrestricted (when running as UID 0 in containers).
RemediationAI
Vendor-released patch: MinIO AIStor RELEASE.2026-04-14T21-32-45Z or later (recommended upgrade target); the vulnerable ReadMultiple handler was first removed in MinIO AIStor RELEASE.2024-10-23T19-38-07Z. All AIStor releases from RELEASE.2024-10-23T19-38-07Z onward are unaffected. Binary downloads, DEB/RPM packages, and container images (including FIPS variants) are available at https://dl.min.io/aistor/minio/release/. Homebrew: brew install minio/aistor/minio. If immediate upgrade is not feasible, implement the following mitigations in order of impact: (1) Rotate the root credential (MINIO_ROOT_PASSWORD) immediately and restrict access-treat it as a host-filesystem disclosure primitive and store only in the secret manager bootstrapping the cluster. (2) For containerized deployments, set securityContext.runAsNonRoot: true with a non-zero runAsUser in Kubernetes manifests, or add --user to docker run commands. This reduces host-filesystem disclosure to MinIO-UID-owned files only, preventing /etc/shadow and Kubernetes service-account token leakage. (3) Restrict the internode storage-REST port at the network layer: use --internode-port to expose internode traffic on a separate interface reachable only from cluster peers, not from client networks. Note that the storage-REST route shares the S3 API port by default, so isolation requires explicit port separation. These mitigations provide defense-in-depth but do not eliminate the vulnerability; upgrade to RELEASE.2026-04-14T21-32-45Z or later remains the primary remediation. See https://github.com/minio/minio/security/advisories/GHSA-xh8f-g2qw-gcm7 for official advisory and https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/ for upgrade instructions.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xh8f-g2qw-gcm7