Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (PutObjectExtractHandler) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name. When authTypeStreamingUnsignedTrailer support was added, the new auth type was handled in PutObjectHandler and PutObjectPartHandler but was never added to PutObjectExtractHandler. The snowball auto-extract handler's switch rAuthType block has no case for authTypeStreamingUnsignedTrailer, so execution falls through with zero signature verification. The isPutActionAllowed call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
AnalysisAI
Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.
Technical ContextAI
MinIO's Snowball auto-extract feature allows bulk import of objects via S3 PutObject requests containing tar archives, triggered by the X-Amz-Meta-Snowball-Auto-Extract header. The vulnerability stems from incomplete handling of AWS Signature Version 4 authentication types (CWE-287: Improper Authentication). When MinIO added support for authTypeStreamingUnsignedTrailer in standard PutObject handlers, the implementation failed to include this auth type in PutObjectExtractHandler's authentication switch statement. The handler performs IAM permission checks via isPutActionAllowed (verifying the access key has WRITE permission) but then falls through the auth type switch without cryptographic signature validation when STREAMING-UNSIGNED-PAYLOAD-TRAILER is specified. This creates a logic flaw where authorization (checking who you claim to be has permission) succeeds but authentication (verifying you are who you claim to be) is skipped entirely. Affected products per CPE: cpe:2.3:a:minio:minio from RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z.
RemediationAI
Primary fix: Upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later immediately, as confirmed by vendor advisory GHSA-9c4q-hq6p-c237 (https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237). The patch adds authTypeStreamingUnsignedTrailer validation to PutObjectExtractHandler per commit 76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091. If immediate upgrade is not feasible, implement one of these compensating controls: (1) Block unsigned-trailer requests at perimeter - configure reverse proxy, WAF, or load balancer to reject any HTTP request containing header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'. This prevents exploitation but may break legitimate clients using unsigned streaming uploads; verify no production workloads require this feature before deployment. (2) Enforce signed variant - reconfigure S3 clients to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the cryptographically signed streaming mode) instead of the unsigned variant. Requires client-side changes and secret key distribution. (3) Restrictive IAM policies - limit s3:PutObject grants to only highly trusted service principals and remove WRITE permissions from any potentially compromised or default keys like 'minioadmin'. Critical: This mitigation only reduces attack surface and does NOT eliminate the vulnerability; any remaining key with WRITE permission can still exploit the flaw. Change default 'minioadmin' credentials immediately regardless of other mitigations. Trade-offs: Perimeter blocking is most effective but may impact legitimate unsigned uploads; IAM restriction requires operational overhead and still leaves residual risk.
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C
MinIO is a High Performance Object Storage released under Apache License v2.0. Rated high severity (CVSS 7.7), this vuln
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
MinIO is a multi-cloud object storage solution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Minio is a Multi-Cloud Object Storage framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage se
Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using onl
Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
MinIO is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remote
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24579
GHSA-9c4q-hq6p-c237