CVE-2026-41145 Overview
CVE-2026-41145 is an authentication bypass vulnerability affecting MinIO, a high-performance object storage system. The flaw exists in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path, allowing any user who knows a valid access key to write arbitrary objects to any bucket without knowing the corresponding secret key or providing a valid cryptographic signature.
This vulnerability stems from a discrepancy in how PutObjectHandler and PutObjectPartHandler handle signature verification versus credential extraction. When the Authorization header is absent, the signature verification gate evaluates to false, causing doesSignatureMatch to never be called. However, isPutActionAllowed still extracts and trusts credentials from the X-Amz-Credential query parameter, allowing requests to proceed with the permissions of the impersonated access key.
Critical Impact
Any MinIO deployment is vulnerable to unauthorized object writes. An attacker with knowledge of any valid access key (including the well-known default minioadmin) can write arbitrary objects to any bucket the impersonated key has WRITE permissions on, completely bypassing cryptographic signature verification.
Affected Products
- MinIO versions starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z
- All deployment configurations using the affected versions
- Deployments using default credentials (minioadmin) are at heightened risk
Discovery Timeline
- April 22, 2026 - CVE-2026-41145 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41145
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) exploits a logic flaw in MinIO's request handling for the STREAMING-UNSIGNED-PAYLOAD-TRAILER content type. The core issue lies in the separation between signature validation and credential extraction across different handler functions.
The PutObjectHandler and PutObjectPartHandler invoke newUnsignedV4ChunkedReader with a signature verification gate that depends solely on the presence of the Authorization header. When this header is omitted, the gate evaluates to false and cryptographic signature validation via doesSignatureMatch is completely bypassed.
Separately, isPutActionAllowed performs credential extraction from two possible sources: the Authorization header or the X-Amz-Credential query parameter. This function trusts whichever source provides credentials. By omitting the Authorization header and supplying credentials exclusively via the query string, an attacker causes signature verification to be skipped while still being authenticated with the permissions of the specified access key.
The vulnerability affects both PutObjectHandler (including standard and tables/warehouse bucket paths) and PutObjectPartHandler for multipart uploads.
Root Cause
The root cause is a trust boundary violation where credential extraction (isPutActionAllowed) and signature verification (doesSignatureMatch) operate on different assumptions about request structure. The signature verification gate uses header presence as a proxy for whether verification is needed, while credential extraction accepts credentials from multiple sources without ensuring corresponding signature validation occurred.
Attack Vector
The attack is network-based and requires minimal prerequisites. An attacker needs:
- Knowledge of a valid access key (the default minioadmin key or any key with WRITE permission)
- The name of a target bucket
- Network access to the MinIO endpoint
The attacker constructs a PUT request that:
- Omits the Authorization header entirely
- Supplies credentials via the X-Amz-Credential query parameter
- Sets X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER
The absence of the Authorization header causes the signature gate to bypass verification, while the query-string credentials are extracted and trusted by isPutActionAllowed. The request proceeds with full WRITE permissions of the impersonated access key.
No exploit code is provided. For technical details on the vulnerability mechanics, refer to the GitHub Security Advisory and the commit that addresses this issue.
Detection Methods for CVE-2026-41145
Indicators of Compromise
- Requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER header without a corresponding Authorization header
- PUT requests to MinIO endpoints with X-Amz-Credential in the query string but no Authorization header
- Unexpected objects appearing in buckets, especially with metadata indicating external origin
- Audit log entries showing successful writes without valid signature verification
Detection Strategies
- Configure WAF or reverse proxy logging to flag requests with STREAMING-UNSIGNED-PAYLOAD-TRAILER content-sha256 values
- Implement MinIO audit logging and monitor for PUT operations with unusual credential patterns
- Deploy network monitoring to detect PUT requests that contain query-string credentials without Authorization headers
- Review bucket contents for unauthorized objects and correlate with access logs
Monitoring Recommendations
- Enable comprehensive MinIO server audit logging to track all PUT operations
- Monitor load balancer and reverse proxy logs for requests matching the attack pattern
- Set up alerts for high-volume PUT requests to sensitive buckets
- Implement periodic bucket content audits to detect unauthorized objects
How to Mitigate CVE-2026-41145
Immediate Actions Required
- Upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later immediately
- Review bucket contents for any unauthorized objects that may have been written
- Rotate all access keys, especially if default credentials were in use
- Audit access logs for signs of exploitation prior to patching
Patch Information
The vulnerability is fixed in MinIO AIStor RELEASE.2026-04-11T03-20-12Z and later versions. Users of the open-source minio/minio project should upgrade to this release or newer. The fix can be reviewed in the GitHub commit and associated pull request.
Workarounds
- Block unsigned-trailer requests at the load balancer or reverse proxy layer by rejecting requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER
- Instruct clients to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead of the unsigned variant
- Restrict WRITE permissions by limiting s3:PutObject grants to trusted principals only (note: this reduces attack surface but does not eliminate the vulnerability)
- Implement network segmentation to limit which systems can reach MinIO endpoints
# Example nginx configuration to block vulnerable requests
# Add to your nginx server block protecting MinIO
# Block requests with unsigned payload trailer
if ($http_x_amz_content_sha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
