CVE-2026-40344 Overview
CVE-2026-40344 is an authentication bypass vulnerability affecting MinIO, a high-performance object storage system. The flaw exists in MinIO's Snowball auto-extract handler (PutObjectExtractHandler), allowing any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature.
This vulnerability impacts MinIO versions starting from RELEASE.2023-05-18T00-05-36Z through versions prior to RELEASE.2026-04-11T03-20-12Z. The attack is particularly dangerous because it requires only a valid access key—which could be the well-known default minioadmin or any key with WRITE permission on a bucket—and a target bucket name.
Critical Impact
Any MinIO deployment running affected versions is vulnerable to unauthorized object writes, enabling attackers to inject malicious content, overwrite existing data, or store unauthorized files in any accessible bucket using only a valid access key.
Affected Products
- MinIO RELEASE.2023-05-18T00-05-36Z through versions prior to RELEASE.2026-04-11T03-20-12Z
- Any MinIO deployment using default credentials (minioadmin)
- MinIO instances with users granted WRITE permissions on buckets
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-40344 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40344
Vulnerability Analysis
The vulnerability stems from an incomplete implementation when authTypeStreamingUnsignedTrailer support was added to MinIO. While this authentication type was properly handled in PutObjectHandler and PutObjectPartHandler, it was never added to PutObjectExtractHandler—the handler responsible for Snowball auto-extract functionality.
The Snowball auto-extract handler's switch rAuthType block has no case for authTypeStreamingUnsignedTrailer, causing execution to fall through with zero signature verification. Although the isPutActionAllowed function is called before the switch statement and extracts the access key while checking IAM permissions, it critically does not verify the cryptographic signature.
This implementation gap allows an attacker to bypass authentication entirely by crafting a request that uses the unsigned trailer authentication type with a fabricated signature.
Root Cause
The root cause is a missing case handler in the authentication type switch block within PutObjectExtractHandler. When authTypeStreamingUnsignedTrailer was introduced as a new authentication type, developers updated PutObjectHandler and PutObjectPartHandler but overlooked PutObjectExtractHandler. This oversight created a code path where signature verification is completely bypassed while IAM permission checks still pass based solely on the access key presence.
The vulnerability is classified as CWE-287 (Improper Authentication), as the system fails to properly authenticate the user before allowing a security-sensitive action.
Attack Vector
An attacker exploits this vulnerability by sending a specially crafted PUT request to MinIO with the following characteristics:
- The request includes X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER header to trigger the unsigned trailer auth path
- The request includes X-Amz-Meta-Snowball-Auto-Extract: true header to route the request to the vulnerable handler
- The Authorization header contains a valid access key paired with a completely fabricated/invalid signature
- The request body contains a tar payload that will be extracted into the target bucket
When processed, the request passes IAM permission checks (which only verify the access key has WRITE permission) and bypasses signature verification entirely. The tar payload is then extracted into the specified bucket, allowing the attacker to write arbitrary objects without proper authentication.
Detection Methods for CVE-2026-40344
Indicators of Compromise
- Unexpected objects appearing in MinIO buckets, particularly tar-extracted files
- PUT requests to MinIO containing both X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER and X-Amz-Meta-Snowball-Auto-Extract: true headers
- Authentication logs showing successful writes with mismatched or invalid signatures
- Anomalous bucket activity from source IPs not associated with legitimate users
Detection Strategies
- Monitor MinIO access logs for requests containing STREAMING-UNSIGNED-PAYLOAD-TRAILER in the content SHA256 header combined with Snowball auto-extract metadata
- Implement signature validation alerts at the WAF or reverse proxy layer to detect requests with known valid access keys but invalid signature patterns
- Deploy anomaly detection for bucket write operations, flagging unexpected tar extractions or sudden increases in object creation
Monitoring Recommendations
- Enable detailed audit logging in MinIO to capture all authentication attempts and object operations
- Configure SIEM rules to correlate access key usage patterns with signature validation failures
- Establish baseline metrics for Snowball auto-extract operations and alert on deviations from normal usage patterns
How to Mitigate CVE-2026-40344
Immediate Actions Required
- Upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later immediately
- If using default credentials (minioadmin), rotate to strong, unique access keys immediately
- Block unsigned-trailer requests at the load balancer or reverse proxy until patching is complete
- Audit bucket contents for unauthorized objects that may have been written through exploitation
Patch Information
Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. The fix adds proper handling for authTypeStreamingUnsignedTrailer in the PutObjectExtractHandler, ensuring cryptographic signature verification is performed for all authentication types.
For technical details on the fix, refer to the GitHub Commit and GitHub Pull Request. Additional context is available in the GitHub Security Advisory.
Workarounds
- Block unsigned-trailer requests at the load balancer by rejecting any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer
- Configure clients to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead of the unsigned trailer option
- Restrict WRITE permissions by limiting s3:PutObject grants to trusted principals only (note: this reduces attack surface but does not eliminate the vulnerability since any user with WRITE permission can still exploit it)
- Implement network segmentation to limit which systems can reach MinIO endpoints
# Example NGINX configuration to block vulnerable requests
location / {
if ($http_x_amz_content_sha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER") {
return 403 "Unsigned trailer requests blocked for security";
}
proxy_pass http://minio-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
