Description
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path
allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the
`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Published: 2026-04-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Object Write
Action: Immediate Patch
AI Analysis

Impact

MinIO’s streaming unsigned‑payload‑trailer implementation permits an attacker who knows any valid access key, including the default minioadmin key, to write arbitrary objects to any bucket without having the corresponding secret key or a valid cryptographic signature. The flaw originates from a signature validation gate that checks only for the presence of an Authorization header; when the header is omitted and credentials are supplied through the X‑Amz‑Credential query parameter, the gate bypasses verification and the request proceeds with the privileges of the impersonated key. This authentication bypass (CWE‑287) enables unauthenticated object writes, potentially compromising data integrity and availability.

Affected Systems

All deployments of the open‑source minio/minio product are affected, from the earliest release up to and including RELEASE.2026‑04‑11T03‑20‑12Z. Any MinIO instance that accepts STREAMING‑UNSIGNED‑PAYLOAD‑TRAILER uploads is impacted, regardless of the specific bucket. Users running the default admin credentials or any access key with WRITE permission on a bucket can exploit the vulnerability.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the KEV status is not listed, implying no confirmed exploitation in the wild yet. The EPSS score is not available, so the current likelihood remains uncertain, yet an attacker only requires a valid access key, a common default, and the target bucket name—conditions that are frequently satisfied in many MinIO deployments. The vulnerability can be leveraged by anyone with a legitimate key, allowing them to overwrite or create objects, potentially leading to data corruption, unauthorized storage, or denial of service. A patch exists in the MinIO AIStor RELEASE.2026‑04‑11T03‑20‑12Z, but until it is applied, the risk is substantial.

Generated by OpenCVE AI on April 22, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MinIO AIStor release (RELEASE.2026‑04‑11T03‑20‑12Z or later), which contains the fix for the unsigned‑trailer upload authentication bypass.
  • Configure your load balancer, reverse proxy, or Web Application Firewall to reject any request containing X‑Amz‑Content‑Sha256 set to STREAMING‑UNSIGNED‑PAYLOAD‑TRAILER.
  • Restrict the WRITE permissions granted to access keys—especially the default minioadmin key—to trusted principals only, ensuring that only authorized users can perform object uploads.
  • When uploading data, use the signed streaming payload trailer (STREAMING‑AWS4‑HMAC‑SHA256‑PAYLOAD‑TRAILER) instead of the unsigned variant, which enforces signature validation in the request.

Generated by OpenCVE AI on April 22, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Minio
Minio minio
Vendors & Products Minio
Minio minio

Wed, 22 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Title MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Minio Minio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T14:21:43.972Z

Reserved: 2026-04-17T12:59:15.739Z

Link: CVE-2026-41145

cve-icon Vulnrichment

Updated: 2026-04-22T14:21:36.432Z

cve-icon NVD

Status : Received

Published: 2026-04-22T01:16:05.603

Modified: 2026-04-22T01:16:05.603

Link: CVE-2026-41145

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses