MinIO’s ReadMultiple storage-REST endpoint contains a path‑traversal flaw that allows a caller with a cluster‑root JSON Web Token to read files outside the configured drive roots. This vulnerability is a CWE‑22 weakness. The attacker crafts a POST request to the endpoint, embedding .. sequences in a msgpack-encoded body that is interpreted as a filesystem path. The server opens the resolved path with os.OpenFile and returns its contents, permitting read access to arbitrary files the MinIO process can access. This constitutes a confidentiality compromise.

MinIO, the high-performance object storage system, is affected in releases from RELEASE.2022-07-24T01-54-52Z up to, but not including, RELEASE.2026-04-14T21-32-45Z. Administrators using any of these releases are susceptible unless they upgrade to the fixed release.

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread, known exploitation yet. The attack requires possession of a cluster‑root JWT, which is a high‑privilege token typically granted to administrators. If such a token is compromised or misused, an attacker can read sensitive files, bounded only by the UID under which the MinIO process runs. The exploit path is relatively straightforward for an insider or a malicious entity that has obtained a valid token, making the vulnerability a concern for environments that expose the endpoint to untrusted actors or lack strong token management.