CVE-2026-41145

Name of the Vulnerable Software and Affected Versions MinIO versions RELEASE.2023-05-18T00-05-36Z through RELEASE.2026-04-11T03-20-12Z

Description An authentication bypass exists in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. An attacker possessing a valid access key can write arbitrary objects to any bucket without a secret key or a valid cryptographic signature. The issue occurs because PutObjectHandler and PutObjectPartHandler utilize newUnsignedV4ChunkedReader with a signature verification gate that relies only on the Authorization header. Simultaneously, isPutActionAllowed accepts credentials from either the Authorization header or the X-Amz-Credential query parameter. By omitting the Authorization header and providing credentials via the query string, the signature gate is bypassed, and the request is processed using the permissions of the impersonated access key. This affects standard and tables/warehouse bucket paths as well as multipart uploads.

Recommendations Upgrade to MinIO AIStor version RELEASE.2026-04-11T03-20-12Z or later. Block unsigned-trailer requests at the load balancer by rejecting any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Restrict s3:PutObject grants to trusted principals to limit WRITE permissions.