CVE-2026-42600
Published: 11 May 2026
Summary
CVE-2026-42600 is a uncategorised-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary local file reads on the MinIO host (bounded by process UID), directly mapping to data collection from the local filesystem.
NVD Description
MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded…
more
only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)