Skip to main content

Minio

18 CVEs product

Monthly

CVE-2026-41145 Go HIGH GHSA This Week

Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.

Authentication Bypass Minio
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-40344 Go HIGH GHSA This Week

Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.

Authentication Bypass Minio
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-39414 Go HIGH GHSA This Week

Memory exhaustion in MinIO S3 Select (RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z) allows authenticated users with s3:PutObject and s3:GetObject permissions to crash the server by uploading CSV files lacking newline characters. The vulnerable CSV reader buffers entire lines into memory without size limits, enabling attackers to trigger out-of-memory conditions. A ~2 MB compressed CSV can decompress to gigabytes without newlines, causing denial of service. No public exploit identified at time of analysis.

Denial Of Service Minio
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2023-28434 Go HIGH POC KEV PATCH THREAT This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Minio
NVD GitHub
CVSS 3.1
8.8
EPSS
6.7%
CVE-2023-28433 Go HIGH PATCH This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Information Disclosure Microsoft Minio
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-28432 HIGH POC KEV THREAT This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Minio
NVD GitHub
CVSS 3.1
7.5
EPSS
84.0%
CVE-2023-27589 MEDIUM POC This Month

Minio is a Multi-Cloud Object Storage framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Minio
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-25812 HIGH POC PATCH This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Minio
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-35919 LOW POC PATCH THREAT Monitor

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Minio
NVD GitHub Exploit-DB
CVSS 3.1
2.7
EPSS
52.3%
CVE-2022-31028 HIGH POC PATCH This Week

MinIO is a multi-cloud object storage solution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Minio
NVD GitHub
CVSS 3.1
7.5
EPSS
2.8%
CVE-2022-24842 HIGH POC PATCH This Week

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Minio
NVD GitHub
CVSS 3.1
8.8
EPSS
2.1%
CVE-2021-43858 HIGH PATCH This Week

MinIO is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Kubernetes Privilege Escalation Minio
NVD GitHub
CVSS 3.1
8.8
EPSS
35.5%
CVE-2021-41137 HIGH PATCH This Week

Minio is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Authentication Bypass Minio
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-21390 MEDIUM POC PATCH This Month

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Minio
NVD GitHub
CVSS 3.1
5.9
EPSS
0.9%
CVE-2021-21362 MEDIUM POC PATCH This Month

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Minio
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-21287 HIGH POC PATCH THREAT This Week

MinIO is a High Performance Object Storage released under Apache License v2.0. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache Path Traversal SSRF Minio
NVD GitHub
CVSS 3.1
7.7
EPSS
24.8%
CVE-2020-11012 HIGH PATCH This Week

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Minio
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2018-1000538 HIGH PATCH This Week

Minio Inc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Minio
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in MinIO object storage allows remote attackers to write arbitrary objects to any bucket using only a valid access key, without the corresponding secret key or cryptographic signature. The vulnerability affects MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z. Attackers can impersonate any user with WRITE permissions by exploiting a logic flaw in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that incorrectly validates credentials from query parameters while bypassing signature verification. Vendor-released patch available in RELEASE.2026-04-11T03-20-12Z (GitHub commit 76913a9f). No public exploit identified at time of analysis, but exploitation requires only knowledge of a valid access key and target bucket name.

Authentication Bypass Minio
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in MinIO RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z allows remote unauthenticated attackers to write arbitrary objects to any bucket by exploiting an unvalidated auth type in the Snowball auto-extract handler. Attackers need only a valid access key (including the default 'minioadmin') and can fabricate signatures without knowing the secret key. CVSS 8.8 reflects network-accessible, low-complexity exploitation with no authentication required (CVSS:4.0 PR:N). No public exploit identified at time of analysis, but exploitation requires only basic S3 API knowledge. Patched in RELEASE.2026-04-11T03-20-12Z per vendor advisory GHSA-9c4q-hq6p-c237.

Authentication Bypass Minio
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Memory exhaustion in MinIO S3 Select (RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z) allows authenticated users with s3:PutObject and s3:GetObject permissions to crash the server by uploading CSV files lacking newline characters. The vulnerable CSV reader buffers entire lines into memory without size limits, enabling attackers to trigger out-of-memory conditions. A ~2 MB compressed CSV can decompress to gigabytes without newlines, causing denial of service. No public exploit identified at time of analysis.

Denial Of Service Minio
NVD GitHub
EPSS 7% CVSS 8.8
HIGH POC KEV PATCH THREAT This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Minio
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Information Disclosure Microsoft Minio
NVD GitHub
EPSS 84% CVSS 7.5
HIGH POC KEV THREAT This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Minio
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Minio is a Multi-Cloud Object Storage framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Minio
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Minio is a Multi-Cloud Object Storage framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Minio
NVD GitHub
EPSS 52% CVSS 2.7
LOW POC PATCH THREAT Monitor

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Minio
NVD GitHub Exploit-DB
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

MinIO is a multi-cloud object storage solution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Minio
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Minio
NVD GitHub
EPSS 35% CVSS 8.8
HIGH PATCH This Week

MinIO is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Kubernetes Privilege Escalation Minio
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Minio is a Kubernetes native application for cloud storage. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Authentication Bypass Minio
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Minio
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Minio
NVD GitHub
EPSS 25% CVSS 7.7
HIGH POC PATCH THREAT This Week

MinIO is a High Performance Object Storage released under Apache License v2.0. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache Path Traversal SSRF +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Minio
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Minio Inc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Minio
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy