Description
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Published: 2026-04-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Object Write
Action: Immediate Patch
AI Analysis

Impact

MinIO's Snowball auto‑extract handler, PutObjectExtractHandler, contains an authentication bypass that allows any user who has a valid access key to upload arbitrary objects to any bucket. The bug stems from a missing signature check when the auth type is streaming unsigned trailer. An attacker can craft a PUT request with a forged signature, include X‑Amz‑Content‑Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER and the Snowball‑Auto‑Extract metadata flag, and the request is accepted and the payload is extracted into the target bucket. This flaw permits unauthorized data insertion and potential overwriting of existing objects, compromising the integrity of stored data and is classified as CWE‑287 and CWE‑306.

Affected Systems

The vulnerability affects all MinIO deployments running the open‑source minio/minio product between RELEASE.2023-05-18T00-05-36Z and just before RELEASE.2026-04-11T03-20-12Z. Earlier releases before 2023-05-18 are not affected. Any installation that has not applied the April 2026 update is vulnerable, including those using the default minioadmin credentials or any user with WRITE permissions on a bucket.

Risk and Exploitability

The CVSS score is 8.8, indicating a high‑severity defect that can lead to unrestricted write access. The EPSS score is not available, and the flaw is not listed in CISA KEV, but the risk remains high because the attack requires only a valid access key and a bucket name, which are often known or default credentials exist. An attacker can trigger the flaw remotely by sending a crafted PUT request to the S3 endpoint; no privileged local access is needed. This makes the vulnerability a high‑risk remote attack vector.

Generated by OpenCVE AI on April 22, 2026 at 06:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or a later release.
  • If an upgrade is not possible, configure your load balancer or reverse proxy to reject requests that include X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER.
  • Restrict write permissions by limiting s3:PutObject grants to trusted principals only.

Generated by OpenCVE AI on April 22, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Minio
Minio minio
Vendors & Products Minio
Minio minio

Wed, 22 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Title MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads
Weaknesses CWE-287
CWE-306
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Minio Minio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T00:49:30.137Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40344

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T01:16:05.430

Modified: 2026-04-22T01:16:05.430

Link: CVE-2026-40344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses