CVE-2026-40344

Name of the Vulnerable Software and Affected Versions MinIO versions RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z

Description An authentication bypass exists in the Snowball auto-extract handler PutObjectExtractHandler. This issue allows a user with a valid access key to write arbitrary objects to any bucket without providing a secret key or a valid cryptographic signature. The flaw occurs because the switch rAuthType block in the handler lacks a case for authTypeStreamingUnsignedTrailer, causing execution to bypass signature verification. An attacker can exploit this by sending a PUT request with the header X-Amz-Content-Sha256 set to STREAMING-UNSIGNED-PAYLOAD-TRAILER, the header X-Amz-Meta-Snowball-Auto-Extract set to true, and an Authorization header containing a valid access key with a fabricated signature.

Recommendations Upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. Block unsigned-trailer requests at the load balancer by rejecting any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Restrict s3:PutObject grants to trusted principals to limit WRITE permissions.