MinIO Flaws Enable Security Bypass and Information Disclosure
German authorities issued advisories for multiple MinIO vulnerabilities that can bypass security controls, with one notice also warning of information disclosure. The advisories identify weaknesses in the object storage platform that could allow attackers to circumvent intended protections and expose sensitive data under certain conditions.
A later advisory expanded the scope from a single issue to multiple vulnerabilities affecting MinIO, all tied to bypassing security measures. Organizations using MinIO should review the referenced advisories, identify affected deployments, and prioritize vendor fixes or mitigations to reduce the risk of unauthorized access and data exposure.
How this story unfolded
3 events from the earliest known activity through the most recent confirmed update.
dCERT publishes MinIO advisory 2026-0795
dCERT published advisory 2026-0795 for MinIO, describing vulnerabilities that could allow information disclosure and bypassing security measures.
dCERT publishes MinIO advisory 2026-1063
dCERT published advisory 2026-1063 for MinIO, reporting multiple vulnerabilities that could allow bypassing security measures.
dCERT publishes MinIO advisory 2026-1353
dCERT published advisory 2026-1353 for MinIO, describing a vulnerability that could allow information disclosure. This is a new MinIO advisory distinct from the previously listed 2026-0795 and 2026-1063 notices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
dCERT - Advisory 2026-1353 - MinIO: Vulnerability allows information disclosure
dcert.de
Open sourcedCERT - Advisory 2026-1063 - MinIO: Multiple Vulnerabilities allow bypassing security measures
dcert.de
Open sourcedCERT - Advisory 2026-0795 - MinIO: Vulnerability allows information disclosure and bypassing security measures
dcert.de
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. **CVE-2026-33322** affects OpenID Connect authentication in versions from `RELEASE.2022-11-08T05-27-07Z` through versions before `RELEASE.2026-03-17T21-25-16Z`, where a JWT algorithm confusion issue allows an attacker who knows the OIDC `ClientSecret` to forge identity tokens and obtain S3 credentials with arbitrary policies, including `consoleAdmin`. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments. A second issue, **CVE-2026-33419**, affects the STS `AssumeRoleWithLDAPIdentity` endpoint in MinIO AIStor before `RELEASE.2026-03-17T21-25-16Z`. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in `RELEASE.2026-03-17T21-25-16Z`.
Mar 24, 2026
MinIO Authentication Bypass Lets Attackers Write Arbitrary Objects to Buckets
MinIO disclosed authentication bypass flaws in its `STREAMING-UNSIGNED-PAYLOAD-TRAILER` upload path that let an attacker with knowledge of a valid access key write arbitrary objects to any bucket without the corresponding secret key or a valid cryptographic signature. The issues affect releases from `RELEASE.2023-05-18T00-05-36Z` up to, but not including, `RELEASE.2026-04-11T03-20-12Z`, and were assigned a CVSS v4.0 score of **8.8**. One tracked issue, `CVE-2026-41145`, abuses inconsistent credential handling by omitting the `Authorization` header and supplying credentials through `X-Amz-Credential`, allowing requests to bypass signature verification in `PutObjectHandler` and `PutObjectPartHandler` across standard, warehouse, and multipart upload paths.
Apr 22, 2026
Docker and Docker Desktop Flaws Expose Systems to Security Bypass Risks
German authorities issued advisories for **multiple vulnerabilities in Docker** and a separate **Docker Desktop flaw that allows security measures to be bypassed**, highlighting security risks across both the container engine ecosystem and the desktop management platform. The notices identify Docker broadly as affected in one case, while the other specifically warns that Docker Desktop contains a vulnerability that could let attackers circumvent intended protections. The paired advisories indicate that organizations using Docker in development or production environments may face exposure from both general software weaknesses and a more targeted bypass issue in Docker Desktop. Security teams should review affected versions, assess where Docker and Docker Desktop are deployed, and prioritize vendor guidance and patching to reduce the risk of unauthorized access or weakened container security controls.
Apr 24, 2026