CVE-2026-42600 Overview
CVE-2026-42600 is a path traversal vulnerability in MinIO, a high-performance object storage system. The flaw affects the ReadMultiple internode storage-REST endpoint and is present in releases from RELEASE.2022-07-24T01-54-52Z up to versions before RELEASE.2026-04-14T21-32-45Z. An attacker holding the cluster root JSON Web Token (JWT) can read arbitrary files outside the configured drive roots. File access is bounded only by the MinIO process user ID (UID) on the host. The vulnerability is tracked as CWE-22: Path Traversal and is fixed in RELEASE.2026-04-14T21-32-45Z.
Critical Impact
A caller with cluster root JWT credentials can read sensitive files anywhere on the MinIO host file system, including configuration, key material, and credentials accessible to the MinIO process UID.
Affected Products
- MinIO releases from RELEASE.2022-07-24T01-54-52Z onward
- MinIO releases before RELEASE.2026-04-14T21-32-45Z
- Deployments exposing the internode storage-REST endpoint to attacker-reachable networks
Discovery Timeline
- 2026-05-11 - CVE-2026-42600 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42600
Vulnerability Analysis
The vulnerability resides in MinIO's internode storage-REST API, specifically in the ReadMultiple handler exposed at POST minio/storage/{drivePath}/v63/rmpl. The handler accepts a msgpack-encoded request body containing a Bucket field. The server uses that value to construct a file path without sanitizing ../ traversal sequences. The constructed path is then opened with os.OpenFile using the O_RDONLY|O_NOATIME flags, and the contents are returned in the msgpack response stream. An authenticated caller with the cluster root JWT can therefore read any file readable by the MinIO process user.
Root Cause
The root cause is missing canonicalization and validation of the Bucket field before joining it to the configured drive root. Because the path is not constrained to the intended directory, traversal sequences escape the storage root. The use of O_NOATIME further suppresses access-time updates that defenders might otherwise observe on the target files.
Attack Vector
Exploitation requires possession of the cluster root JWT, which authorizes internode requests between MinIO nodes. A caller with network access to a node's storage-REST endpoint sends a crafted POST to the rmpl route. The msgpack body sets Bucket to a value containing ../ segments that resolve outside the drive root. The server reads the targeted file and returns its contents in the response. No user interaction is required, and the request is structurally identical to legitimate internode traffic.
The vulnerability mechanism is documented in the MinIO GitHub Security Advisory GHSA-xh8f-g2qw-gcm7. No verified public proof-of-concept code is available at the time of writing.
Detection Methods for CVE-2026-42600
Indicators of Compromise
- HTTP POST requests to paths matching minio/storage/*/v63/rmpl from unexpected sources or at unusual volumes.
- Msgpack request bodies containing .., ../, or encoded traversal sequences within the Bucket field.
- MinIO process file descriptors opening files outside configured drive roots, such as /etc/, /root/, or service home directories.
Detection Strategies
- Inspect MinIO access logs and reverse-proxy logs for requests to the v63/rmpl endpoint and correlate against expected internode peers.
- Deploy auditd or eBPF-based file access monitoring on MinIO hosts to flag openat calls by the MinIO process targeting paths outside the storage roots.
- Alert on cluster root JWT usage originating from non-cluster IP addresses or container namespaces.
Monitoring Recommendations
- Ingest MinIO server logs, host process telemetry, and network flow data into a centralized analytics platform for correlation across nodes.
- Track baseline volumes of internode storage-REST traffic and alert on deviations that may indicate abuse of ReadMultiple.
- Monitor for exposure of the internode port to networks outside the trusted cluster subnet.
How to Mitigate CVE-2026-42600
Immediate Actions Required
- Upgrade all MinIO nodes to RELEASE.2026-04-14T21-32-45Z or later as the primary remediation.
- Restrict network access to MinIO internode ports so only cluster members can reach the storage-REST endpoint.
- Rotate the cluster root credentials and any secrets that may have been readable by the MinIO process UID if compromise is suspected.
Patch Information
MinIO addressed the issue in RELEASE.2026-04-14T21-32-45Z by validating the Bucket field in ReadMultiple requests and rejecting paths that escape the configured drive root. Refer to the MinIO Security Advisory GHSA-xh8f-g2qw-gcm7 for the official fix details.
Workarounds
- Place MinIO internode communication on an isolated network segment or private VLAN unreachable from application or user networks.
- Run the MinIO process as a dedicated unprivileged user with file system access limited to drive roots, reducing the blast radius of arbitrary reads.
- Enforce strict firewall rules that permit storage-REST traffic only between known cluster node IP addresses.
# Configuration example: restrict MinIO internode port (default 9000) to cluster peers only
# Replace 10.0.0.10, 10.0.0.11, 10.0.0.12 with your MinIO node IPs
sudo iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.10 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.11 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.12 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
