MinIO Authentication Bypass Lets Attackers Write Arbitrary Objects to Buckets
MinIO disclosed authentication bypass flaws in its STREAMING-UNSIGNED-PAYLOAD-TRAILER upload path that let an attacker with knowledge of a valid access key write arbitrary objects to any bucket without the corresponding secret key or a valid cryptographic signature. The issues affect releases from RELEASE.2023-05-18T00-05-36Z up to, but not including, RELEASE.2026-04-11T03-20-12Z, and were assigned a CVSS v4.0 score of 8.8. One tracked issue, CVE-2026-41145, abuses inconsistent credential handling by omitting the Authorization header and supplying credentials through X-Amz-Credential, allowing requests to bypass signature verification in PutObjectHandler and PutObjectPartHandler across standard, warehouse, and multipart upload paths.
Timeline
Apr 22, 2026
CVE-2026-41145 entry details query-string credential signature bypass
A CVE entry for `CVE-2026-41145` documented the MinIO query-string credential signature bypass in unsigned-trailer uploads, clarifying that deployments before `RELEASE.2026-04-11T03-20-12Z` were affected. It described how omitting the `Authorization` header and supplying `X-Amz-Credential` could bypass signature checks in object and multipart upload handlers.
Apr 11, 2026
MinIO publicly discloses two unauthenticated object-write vulnerabilities
MinIO published a security advisory describing two high-severity flaws in the unsigned-trailer upload path, including one in Snowball auto-extract handling and another affecting `PutObjectHandler` and `PutObjectPartHandler` when credentials are supplied via query string. The advisory rated the issues CVSS v4.0 8.8 and recommended upgrading, blocking `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, and restricting write permissions.
Apr 11, 2026
MinIO fixes unsigned-trailer authentication bypass flaws in AIStor
MinIO fixed two authentication bypass vulnerabilities affecting `STREAMING-UNSIGNED-PAYLOAD-TRAILER` uploads in AIStor `RELEASE.2026-04-11T03-20-12Z`. The fixes addressed missing or bypassed signature verification that could let an attacker with a valid access key write arbitrary objects without the secret key.
May 18, 2023
MinIO introduces unsigned-trailer auth code path in affected releases
MinIO's vulnerable `authTypeStreamingUnsignedTrailer` support was introduced in commit `76913a9fd`, and the affected release range begins with `RELEASE.2023-05-18T00-05-36Z`. This change created the code paths later found to allow unauthenticated object writes under certain conditions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. **CVE-2026-33322** affects OpenID Connect authentication in versions from `RELEASE.2022-11-08T05-27-07Z` through versions before `RELEASE.2026-03-17T21-25-16Z`, where a JWT algorithm confusion issue allows an attacker who knows the OIDC `ClientSecret` to forge identity tokens and obtain S3 credentials with arbitrary policies, including `consoleAdmin`. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments. A second issue, **CVE-2026-33419**, affects the STS `AssumeRoleWithLDAPIdentity` endpoint in MinIO AIStor before `RELEASE.2026-03-17T21-25-16Z`. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in `RELEASE.2026-03-17T21-25-16Z`.
1 months ago
MinIO Flaws Enable Security Bypass and Information Disclosure
German authorities issued advisories for multiple **MinIO** vulnerabilities that can bypass security controls, with one notice also warning of **information disclosure**. The advisories identify weaknesses in the object storage platform that could allow attackers to circumvent intended protections and expose sensitive data under certain conditions. A later advisory expanded the scope from a single issue to **multiple vulnerabilities** affecting MinIO, all tied to bypassing security measures. Organizations using MinIO should review the referenced advisories, identify affected deployments, and prioritize vendor fixes or mitigations to reduce the risk of unauthorized access and data exposure.
Today
Docker Engine AuthZ Bypass Flaw Enables Host Access via Oversized API Requests
Docker disclosed a high-severity Docker Engine vulnerability, **CVE-2026-34040** (`CVSS 8.8`), that allows attackers to bypass authorization plugins and perform actions that should be blocked. The flaw stems from an incomplete fix for **CVE-2024-41110** and is triggered when a specially crafted oversized Docker API request causes the request body to be dropped before inspection by an AuthZ plugin. In affected environments, the plugin may approve container operations it would otherwise deny, opening a path to unauthorized privileged actions and potential host compromise. Researchers said an attacker with Docker API access could exploit the bug by padding a container-creation request beyond **1 MB** to launch a privileged container with access to the host filesystem, exposing sensitive assets such as **AWS credentials**, **SSH keys**, and **Kubernetes configurations**. The issue affects deployments that rely on authorization plugins inspecting request bodies, while environments not using those plugins are not impacted. Docker patched the vulnerability in **Docker Engine 29.3.1** and urged defenders to upgrade, restrict Docker API access, avoid AuthZ plugins that depend on request-body inspection, and use controls such as rootless mode, user namespace remapping, and least-privilege access to reduce risk.
4 weeks ago