Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41145

CVE-2026-41145: MinIO Auth Bypass Vulnerability

CVE-2026-41145 is an authentication bypass vulnerability in MinIO that allows attackers to write objects to any bucket using only an access key. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-41145 Overview

CVE-2026-41145 is an authentication bypass vulnerability affecting MinIO, a high-performance object storage system. The flaw exists in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path, allowing any user who knows a valid access key to write arbitrary objects to any bucket without knowing the corresponding secret key or providing a valid cryptographic signature.

This vulnerability stems from a discrepancy in how PutObjectHandler and PutObjectPartHandler handle signature verification versus credential extraction. When the Authorization header is absent, the signature verification gate evaluates to false, causing doesSignatureMatch to never be called. However, isPutActionAllowed still extracts and trusts credentials from the X-Amz-Credential query parameter, allowing requests to proceed with the permissions of the impersonated access key.

Critical Impact

Any MinIO deployment is vulnerable to unauthorized object writes. An attacker with knowledge of any valid access key (including the well-known default minioadmin) can write arbitrary objects to any bucket the impersonated key has WRITE permissions on, completely bypassing cryptographic signature verification.

Affected Products

  • MinIO versions starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z
  • All deployment configurations using the affected versions
  • Deployments using default credentials (minioadmin) are at heightened risk

Discovery Timeline

  • April 22, 2026 - CVE-2026-41145 published to NVD
  • April 22, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41145

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287) exploits a logic flaw in MinIO's request handling for the STREAMING-UNSIGNED-PAYLOAD-TRAILER content type. The core issue lies in the separation between signature validation and credential extraction across different handler functions.

The PutObjectHandler and PutObjectPartHandler invoke newUnsignedV4ChunkedReader with a signature verification gate that depends solely on the presence of the Authorization header. When this header is omitted, the gate evaluates to false and cryptographic signature validation via doesSignatureMatch is completely bypassed.

Separately, isPutActionAllowed performs credential extraction from two possible sources: the Authorization header or the X-Amz-Credential query parameter. This function trusts whichever source provides credentials. By omitting the Authorization header and supplying credentials exclusively via the query string, an attacker causes signature verification to be skipped while still being authenticated with the permissions of the specified access key.

The vulnerability affects both PutObjectHandler (including standard and tables/warehouse bucket paths) and PutObjectPartHandler for multipart uploads.

Root Cause

The root cause is a trust boundary violation where credential extraction (isPutActionAllowed) and signature verification (doesSignatureMatch) operate on different assumptions about request structure. The signature verification gate uses header presence as a proxy for whether verification is needed, while credential extraction accepts credentials from multiple sources without ensuring corresponding signature validation occurred.

Attack Vector

The attack is network-based and requires minimal prerequisites. An attacker needs:

  1. Knowledge of a valid access key (the default minioadmin key or any key with WRITE permission)
  2. The name of a target bucket
  3. Network access to the MinIO endpoint

The attacker constructs a PUT request that:

  • Omits the Authorization header entirely
  • Supplies credentials via the X-Amz-Credential query parameter
  • Sets X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER

The absence of the Authorization header causes the signature gate to bypass verification, while the query-string credentials are extracted and trusted by isPutActionAllowed. The request proceeds with full WRITE permissions of the impersonated access key.

No exploit code is provided. For technical details on the vulnerability mechanics, refer to the GitHub Security Advisory and the commit that addresses this issue.

Detection Methods for CVE-2026-41145

Indicators of Compromise

  • Requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER header without a corresponding Authorization header
  • PUT requests to MinIO endpoints with X-Amz-Credential in the query string but no Authorization header
  • Unexpected objects appearing in buckets, especially with metadata indicating external origin
  • Audit log entries showing successful writes without valid signature verification

Detection Strategies

  • Configure WAF or reverse proxy logging to flag requests with STREAMING-UNSIGNED-PAYLOAD-TRAILER content-sha256 values
  • Implement MinIO audit logging and monitor for PUT operations with unusual credential patterns
  • Deploy network monitoring to detect PUT requests that contain query-string credentials without Authorization headers
  • Review bucket contents for unauthorized objects and correlate with access logs

Monitoring Recommendations

  • Enable comprehensive MinIO server audit logging to track all PUT operations
  • Monitor load balancer and reverse proxy logs for requests matching the attack pattern
  • Set up alerts for high-volume PUT requests to sensitive buckets
  • Implement periodic bucket content audits to detect unauthorized objects

How to Mitigate CVE-2026-41145

Immediate Actions Required

  • Upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later immediately
  • Review bucket contents for any unauthorized objects that may have been written
  • Rotate all access keys, especially if default credentials were in use
  • Audit access logs for signs of exploitation prior to patching

Patch Information

The vulnerability is fixed in MinIO AIStor RELEASE.2026-04-11T03-20-12Z and later versions. Users of the open-source minio/minio project should upgrade to this release or newer. The fix can be reviewed in the GitHub commit and associated pull request.

Workarounds

  • Block unsigned-trailer requests at the load balancer or reverse proxy layer by rejecting requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER
  • Instruct clients to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead of the unsigned variant
  • Restrict WRITE permissions by limiting s3:PutObject grants to trusted principals only (note: this reduces attack surface but does not eliminate the vulnerability)
  • Implement network segmentation to limit which systems can reach MinIO endpoints
bash
# Example nginx configuration to block vulnerable requests
# Add to your nginx server block protecting MinIO

# Block requests with unsigned payload trailer
if ($http_x_amz_content_sha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER") {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne