Arvin Shivram

**Name of the Vulnerable Software and Affected Versions** Google Cloud Application Integration versions prior to 2026-01-23 **Description** Improper Access Control in several internal API endpoints allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code. This is achieved by sending specially crafted HTTP requests to internal API endpoints that were inadvertently exposed. The issue involves debug endpoints that allow the configuration of privileged workflows, leading to Remote Code Execution (RCE), which is the ability to execute arbitrary commands on a target machine. **Recommendations** Update to the version released on or after 2026-01-23.

**Name of the Vulnerable Software and Affected Versions** MinIO versions RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z **Description** An authentication bypass exists in the `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path. An attacker possessing a valid access key can write arbitrary objects to any bucket without a secret key or a valid cryptographic signature. The issue occurs because `PutObjectHandler` and `PutObjectPartHandler` utilize `newUnsignedV4ChunkedReader` with a signature verification gate that relies only on the `Authorization` header. Simultaneously, `isPutActionAllowed` accepts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter. By omitting the `Authorization` header and providing credentials via the query string, the signature gate is bypassed, and the request is processed using the permissions of the impersonated access key. This affects standard and tables/warehouse bucket paths as well as multipart uploads. **Recommendations** Upgrade to MinIO AIStor version RELEASE.2026-04-11T03-20-12Z or later. Block unsigned-trailer requests at the load balancer by rejecting any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Restrict `s3:PutObject` grants to trusted principals to limit WRITE permissions.

**Name of the Vulnerable Software and Affected Versions** MinIO versions RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z **Description** An authentication bypass exists in the Snowball auto-extract handler `PutObjectExtractHandler`. This issue allows a user with a valid access key to write arbitrary objects to any bucket without providing a secret key or a valid cryptographic signature. The flaw occurs because the `switch rAuthType` block in the handler lacks a case for `authTypeStreamingUnsignedTrailer`, causing execution to bypass signature verification. An attacker can exploit this by sending a PUT request with the header `X-Amz-Content-Sha256` set to `STREAMING-UNSIGNED-PAYLOAD-TRAILER`, the header `X-Amz-Meta-Snowball-Auto-Extract` set to `true`, and an `Authorization` header containing a valid access key with a fabricated signature. **Recommendations** Upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. Block unsigned-trailer requests at the load balancer by rejecting any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Restrict `s3:PutObject` grants to trusted principals to limit WRITE permissions.