Description
MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.
Published: 2026-05-11
Score: 6.9 Medium
EPSS: 8.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MinIO’s ReadMultiple storage‑REST endpoint contains a path‑traversal flaw that allows a caller with a cluster‑root JSON Web Token to read files outside the configured drive roots. This vulnerability is a CWE‑22 weakness. The attacker crafts a POST request to the endpoint, embedding .. sequences in a msgpack‑encoded body that is interpreted as a filesystem path. The server opens the resolved path with os.OpenFile and returns its contents, permitting read access to arbitrary files the MinIO process can access. This constitutes a confidentiality compromise.

Affected Systems

MinIO, the high‑performance object storage system, is affected in releases from RELEASE.2022-07-24T01-54-52Z up to, but not including, RELEASE.2026-04-14T21-32-45Z. Administrators using any of these releases are susceptible unless they upgrade to the fixed release.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of 8% suggests a moderate probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog, indicating no currently known widespread exploitation. The attack requires possession of a cluster‑root JWT, a high‑privilege token typically granted to administrators. If such a token is compromised or misused, an attacker can read sensitive files, bounded only by the UID under which the MinIO process runs. The exploit path is relatively straightforward for an insider or malicious entity that has obtained a valid token, making the vulnerability a concern for environments that expose the endpoint to untrusted actors or lack strong token management.

Generated by OpenCVE AI on June 24, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MinIO to RELEASE.2026-04-14 or a later patched version.
  • If immediate upgrade is infeasible, restrict the distribution of cluster‑root JWTs to a minimal set of trusted administrators, rotate them regularly, and enforce strict input validation on the Bucket field to reject path traversal sequences (CWE‑22).
  • Apply network segmentation or firewall rules to limit access to the storage‑REST endpoint to approved hosts only.

Generated by OpenCVE AI on June 24, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh8f-g2qw-gcm7 MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint
History

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Fri, 15 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Minio
Minio minio
Vendors & Products Minio
Minio minio

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.
Title MinIO: Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Minio Minio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:24:49.669Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42600

cve-icon Vulnrichment

Updated: 2026-05-15T18:24:46.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T22:22:11.567

Modified: 2026-06-17T10:48:08.820

Link: CVE-2026-42600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')