GHSA-9c4q-hq6p-c237
ADVISORY - githubSummary
Impact
What kind of vulnerability is it? Who is impacted?
Two authentication bypass vulnerabilities in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path
allow any user who knows a valid access key to write arbitrary objects to any bucket without knowing
the secret key or providing a valid cryptographic signature.
Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default
minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.
There are two vulnerabilities:
- Missing Signature Verification in PutObjectExtractHandler / Snowball (CWE-306)
- Signature Verification Bypass via Query-String Credentials (CWE-287)
Vulnerability 1 — Missing signature verification in PutObjectExtractHandler (Snowball)
When authTypeStreamingUnsignedTrailer support was added (commit 76913a9fd, PR #16484), the new auth
type was handled in PutObjectHandler and PutObjectPartHandler but was never added to
PutObjectExtractHandler. The snowball auto-extract handler's switch rAuthType block has no case for
authTypeStreamingUnsignedTrailer, so execution falls through with zero signature verification. The
isPutActionAllowed call before the switch extracts the access key and checks IAM permissions, but
does not verify the cryptographic signature.
An attacker sends a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER,
X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing a valid access key
with a completely fabricated signature. The request is accepted and the tar payload is extracted into
the bucket.
Affected component: cmd/object-handlers.go, function PutObjectExtractHandler.
Vulnerability 2 — Signature verification bypass via query-string credentials
PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature
verification gate based solely on the presence of the Authorization header:
newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")
Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the
X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the
Authorization header and supplies credentials exclusively via the query string. The signature gate
evaluates to false, doesSignatureMatch is never called, and the request proceeds with the
permissions of the impersonated access key.
Affected components: cmd/object-handlers.go (PutObjectHandler),
cmd/object-multipart-handlers.go (PutObjectPartHandler).
CVSS v4.0 Score: 8.8 (High)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CWE: CWE-306 (Missing Authentication for Critical Function), CWE-287 (Improper Authentication)
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
Both vulnerabilities were introduced in commit
76913a9fd
("Signed trailers for signature v4", PR #16484),
which added authTypeStreamingUnsignedTrailer support. The first affected release is
RELEASE.2023-05-18T00-05-36Z.
Patches
Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260411032012.0.0_amd64.deb |
| DEB | arm64 | minio_20260411032012.0.0_arm64.deb |
| RPM | amd64 | minio-20260411032012.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260411032012.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
Block unsigned-trailer requests at the load balancer. Reject any request containing
X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILERat the reverse proxy or WAF layer. Clients can useSTREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER(the signed variant) instead.Restrict WRITE permissions. Limit
s3:PutObjectgrants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Credits
- Finder: Arvin Shivram of Brutecat Security (@ddd)
References
- Introducing commit:
76913a9fd(PR #16484) - MinIO AIStor
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in