Ddd

**Name of the Vulnerable Software and Affected Versions** MinIO versions RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z **Description** An authentication bypass exists in the `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path. An attacker possessing a valid access key can write arbitrary objects to any bucket without a secret key or a valid cryptographic signature. The issue occurs because `PutObjectHandler` and `PutObjectPartHandler` utilize `newUnsignedV4ChunkedReader` with a signature verification gate that relies only on the `Authorization` header. Simultaneously, `isPutActionAllowed` accepts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter. By omitting the `Authorization` header and providing credentials via the query string, the signature gate is bypassed, and the request is processed using the permissions of the impersonated access key. This affects standard and tables/warehouse bucket paths as well as multipart uploads. **Recommendations** Upgrade to MinIO AIStor version RELEASE.2026-04-11T03-20-12Z or later. Block unsigned-trailer requests at the load balancer by rejecting any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Restrict `s3:PutObject` grants to trusted principals to limit WRITE permissions.

**Name of the Vulnerable Software and Affected Versions** MinIO versions RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z **Description** An authentication bypass exists in the Snowball auto-extract handler `PutObjectExtractHandler`. This issue allows a user with a valid access key to write arbitrary objects to any bucket without providing a secret key or a valid cryptographic signature. The flaw occurs because the `switch rAuthType` block in the handler lacks a case for `authTypeStreamingUnsignedTrailer`, causing execution to bypass signature verification. An attacker can exploit this by sending a PUT request with the header `X-Amz-Content-Sha256` set to `STREAMING-UNSIGNED-PAYLOAD-TRAILER`, the header `X-Amz-Meta-Snowball-Auto-Extract` set to `true`, and an `Authorization` header containing a valid access key with a fabricated signature. **Recommendations** Upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. Block unsigned-trailer requests at the load balancer by rejecting any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Restrict `s3:PutObject` grants to trusted principals to limit WRITE permissions.