CVE-2026-41145
Published: 22 April 2026
Description
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to write arbitrary objects to any bucket without…
more
knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass by requiring timely remediation through upgrading MinIO to RELEASE.2026-04-11T03-20-12Z or later to patch the flawed signature verification logic.
Enforces boundary protection to block unsigned-trailer requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at load balancers or WAFs as recommended interim mitigation.
Reduces attack surface by enforcing least privilege on access keys, limiting s3:PutObject WRITE permissions to trusted principals only.
Security SummaryAI
CVE-2026-41145 is an authentication bypass vulnerability in MinIO, a high-performance object storage system. It affects versions starting from RELEASE.2023-05-18T00-05-36Z up to but not including RELEASE.2026-04-11T03-20-12Z. The flaw exists in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path within PutObjectHandler and PutObjectPartHandler, where signature verification relies solely on the presence of the Authorization header. When credentials are supplied exclusively via the X-Amz-Credential query parameter without the Authorization header, the signature check is skipped, allowing requests to proceed with the permissions of the provided access key. This impacts all MinIO deployments, with a CVSS v3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and is associated with CWE-287 (Improper Authentication).
Any attacker with a valid access key—such as the well-known default minioadmin or any key possessing WRITE permissions on a bucket—can exploit this to write arbitrary objects to any target bucket without needing the corresponding secret key or a valid cryptographic signature. The attack involves omitting the Authorization header, providing credentials via the query string, and using the STREAMING-UNSIGNED-PAYLOAD-TRAILER value in the X-Amz-Content-Sha256 header. This enables full object writes via standard PutObjectHandler paths (including tables/warehouse buckets) and multipart uploads via PutObjectPartHandler, potentially leading to unauthorized data storage, tampering, or supply-chain compromise in affected environments.
MinIO's security advisory (GHSA-hv4r-mvr4-25vw) and associated GitHub pull request (#16484) and commit (76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091) recommend upgrading open-source minio/minio deployments to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. As interim mitigations, administrators should block unsigned-trailer requests at the load balancer, reject any incoming requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer, or switch clients to the signed variant STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER. Additionally, restricting s3:PutObject grants to trusted principals and limiting WRITE permissions reduces the attack surface, though it does not fully eliminate the vulnerability for users with existing WRITE access.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-41145 is an authentication bypass vulnerability in the public-facing MinIO object storage service (S3-compatible API), enabling unauthorized object writes and directly mapping to T1190: Exploit Public-Facing Application.