CVE-2026-40344
Published: 22 April 2026
Description
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket…
more
without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like the authentication bypass in MinIO's PutObjectExtractHandler by upgrading to the patched release.
Enforces approved authorizations including full cryptographic signature verification to block unauthorized object writes via the Snowball auto-extract handler despite valid access keys.
Restricts s3:PutObject permissions to least privilege for trusted principals only, limiting exploitation to fewer valid access keys with write access.
Security SummaryAI
CVE-2026-40344 is an authentication bypass vulnerability in MinIO, a high-performance object storage system. It affects deployments from RELEASE.2023-05-18T00-05-36Z up to but not including RELEASE.2026-04-11T03-20-12Z. The issue resides in the Snowball auto-extract handler, specifically the PutObjectExtractHandler, where support for the authTypeStreamingUnsignedTrailer was added to other handlers like PutObjectHandler and PutObjectPartHandler but omitted here. As a result, the switch statement lacks a case for this authentication type, causing execution to fall through without cryptographic signature verification, despite an initial IAM permission check via isPutActionAllowed that only validates the access key.
An attacker can exploit this vulnerability remotely with network access by sending a PUT request using a valid access key—such as the well-known default minioadmin or any key with WRITE permission on a bucket—along with the headers X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header with a fabricated signature. No secret key or valid signature is required. This allows the attacker to write arbitrary objects, including extracting a tar payload, into any target bucket, achieving high integrity impact with a CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and mapping to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).
MinIO advisories recommend upgrading open-source minio/minio deployments to AIStor RELEASE.2026-04-11T03-20-12Z or later. As interim mitigations, block requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the load balancer, reverse proxy, or WAF layer; use the signed variant STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER for clients; and restrict s3:PutObject grants to trusted principals only, though this limits rather than eliminates the attack surface since any WRITE-permission holder can exploit it with just their access key. Relevant fixes are detailed in GitHub commit 76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091, pull request 16484, and security advisory GHSA-9c4q-hq6p-c237.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-40344 is an authentication bypass in the public-facing MinIO object storage service, enabling remote attackers to exploit it for unauthorized object writes via crafted PUT requests, directly mapping to T1190: Exploit Public-Facing Application.