{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41145", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.739Z", "datePublished": "2026-04-22T00:54:09.213Z", "dateUpdated": "2026-04-22T00:54:09.213Z"}, "containers": {"cna": {"title": "MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw"}, {"name": "https://github.com/minio/minio/pull/16484", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/16484"}, {"name": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": ">= RELEASE.2023-05-18T00-05-36Z, < RELEASE.2026-04-11T03-20-12Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T00:54:09.213Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key."}], "source": {"advisory": "GHSA-hv4r-mvr4-25vw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key."}], "id": "CVE-2026-41145", "lastModified": "2026-04-22T01:16:05.603", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T01:16:05.603", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091"}, {"source": "security-advisories@github.com", "url": "https://github.com/minio/minio/pull/16484"}, {"source": "security-advisories@github.com", "url": "https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[RELEASE.2023-05-18T00-05-36Z,RELEASE.2026-04-11T03-20-12Z)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "minio", "source": "cna", "vendor": "minio"}, "product": "minio", "vendor": "minio"}], "analysis": {"en": {"generated_at": "2026-04-22T04:23:25.251537+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest MinIO AIStor release (RELEASE.2026\u201104\u201111T03\u201120\u201112Z or later), which contains the fix for the unsigned\u2011trailer upload authentication bypass.", "Configure your load balancer, reverse proxy, or Web Application Firewall to reject any request containing X\u2011Amz\u2011Content\u2011Sha256 set to STREAMING\u2011UNSIGNED\u2011PAYLOAD\u2011TRAILER.", "Restrict the WRITE permissions granted to access keys\u2014especially the default minioadmin key\u2014to trusted principals only, ensuring that only authorized users can perform object uploads.", "When uploading data, use the signed streaming payload trailer (STREAMING\u2011AWS4\u2011HMAC\u2011SHA256\u2011PAYLOAD\u2011TRAILER) instead of the unsigned variant, which enforces signature validation in the request."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Object Write"}, "threat_synthesis": {"affected_systems": "All deployments of the open\u2011source minio/minio product are affected, from the earliest release up to and including RELEASE.2026\u201104\u201111T03\u201120\u201112Z. Any MinIO instance that accepts STREAMING\u2011UNSIGNED\u2011PAYLOAD\u2011TRAILER uploads is impacted, regardless of the specific bucket. Users running the default admin credentials or any access key with WRITE permission on a bucket can exploit the vulnerability.", "description_and_impact": "MinIO\u2019s streaming unsigned\u2011payload\u2011trailer implementation permits an attacker who knows any valid access key, including the default minioadmin key, to write arbitrary objects to any bucket without having the corresponding secret key or a valid cryptographic signature. The flaw originates from a signature validation gate that checks only for the presence of an Authorization header; when the header is omitted and credentials are supplied through the X\u2011Amz\u2011Credential query parameter, the gate bypasses verification and the request proceeds with the privileges of the impersonated key. This authentication bypass (CWE\u2011287) enables unauthenticated object writes, potentially compromising data integrity and availability.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the KEV status is not listed, implying no confirmed exploitation in the wild yet. The EPSS score is not available, so the current likelihood remains uncertain, yet an attacker only requires a valid access key, a common default, and the target bucket name\u2014conditions that are frequently satisfied in many MinIO deployments. The vulnerability can be leveraged by anyone with a legitimate key, allowing them to overwrite or create objects, potentially leading to data corruption, unauthorized storage, or denial of service. A patch exists in the MinIO AIStor RELEASE.2026\u201104\u201111T03\u201120\u201112Z, but until it is applied, the risk is substantial."}}}}, "created": "2026-04-22T04:30:05.160395+00:00", "updated": "2026-04-22T04:30:05.301643+00:00", "vendors": ["minio", "minio$PRODUCT$minio"]}