MinIO Flaws Enable Security Bypass and Information Disclosure
German authorities issued advisories for multiple MinIO vulnerabilities that can bypass security controls, with one notice also warning of information disclosure. The advisories identify weaknesses in the object storage platform that could allow attackers to circumvent intended protections and expose sensitive data under certain conditions.
A later advisory expanded the scope from a single issue to multiple vulnerabilities affecting MinIO, all tied to bypassing security measures. Organizations using MinIO should review the referenced advisories, identify affected deployments, and prioritize vendor fixes or mitigations to reduce the risk of unauthorized access and data exposure.
Timeline
May 6, 2026
dCERT publishes MinIO advisory 2026-1353
dCERT published advisory 2026-1353 for MinIO, describing a vulnerability that could allow information disclosure. This is a new MinIO advisory distinct from the previously listed 2026-0795 and 2026-1063 notices.
Apr 14, 2026
dCERT publishes MinIO advisory 2026-1063
dCERT published advisory 2026-1063 for MinIO, reporting multiple vulnerabilities that could allow bypassing security measures.
Mar 23, 2026
dCERT publishes MinIO advisory 2026-0795
dCERT published advisory 2026-0795 for MinIO, describing vulnerabilities that could allow information disclosure and bypassing security measures.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. **CVE-2026-33322** affects OpenID Connect authentication in versions from `RELEASE.2022-11-08T05-27-07Z` through versions before `RELEASE.2026-03-17T21-25-16Z`, where a JWT algorithm confusion issue allows an attacker who knows the OIDC `ClientSecret` to forge identity tokens and obtain S3 credentials with arbitrary policies, including `consoleAdmin`. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments. A second issue, **CVE-2026-33419**, affects the STS `AssumeRoleWithLDAPIdentity` endpoint in MinIO AIStor before `RELEASE.2026-03-17T21-25-16Z`. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in `RELEASE.2026-03-17T21-25-16Z`.
1 months ago
MinIO Authentication Bypass Lets Attackers Write Arbitrary Objects to Buckets
MinIO disclosed authentication bypass flaws in its `STREAMING-UNSIGNED-PAYLOAD-TRAILER` upload path that let an attacker with knowledge of a valid access key write arbitrary objects to any bucket without the corresponding secret key or a valid cryptographic signature. The issues affect releases from `RELEASE.2023-05-18T00-05-36Z` up to, but not including, `RELEASE.2026-04-11T03-20-12Z`, and were assigned a CVSS v4.0 score of **8.8**. One tracked issue, `CVE-2026-41145`, abuses inconsistent credential handling by omitting the `Authorization` header and supplying credentials through `X-Amz-Credential`, allowing requests to bypass signature verification in `PutObjectHandler` and `PutObjectPartHandler` across standard, warehouse, and multipart upload paths.
2 weeks ago
Docker and Docker Desktop Flaws Expose Systems to Security Bypass Risks
German authorities issued advisories for **multiple vulnerabilities in Docker** and a separate **Docker Desktop flaw that allows security measures to be bypassed**, highlighting security risks across both the container engine ecosystem and the desktop management platform. The notices identify Docker broadly as affected in one case, while the other specifically warns that Docker Desktop contains a vulnerability that could let attackers circumvent intended protections. The paired advisories indicate that organizations using Docker in development or production environments may face exposure from both general software weaknesses and a more targeted bypass issue in Docker Desktop. Security teams should review affected versions, assess where Docker and Docker Desktop are deployed, and prioritize vendor guidance and patching to reduce the risk of unauthorized access or weakened container security controls.
1 weeks ago