PT-2026-34826 — Improper Authentication in Go Github.Com/Minio/Minio

PT-2026-34826 · Go · Github.Com/Minio/Minio

Published

2026-04-14

Updated

2026-04-14

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Impact

Two authentication bypass vulnerabilities in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allow any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature.

Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.

There are two vulnerabilities:

Missing Signature Verification in PutObjectExtractHandler / Snowball (CWE-306)
Signature Verification Bypass via Query-String Credentials (CWE-287)

Vulnerability 1 — Missing signature verification in PutObjectExtractHandler (Snowball)

When authTypeStreamingUnsignedTrailer support was added (commit 76913a9fd, PR #16484), the new auth type was handled in PutObjectHandler and PutObjectPartHandler but was never added to PutObjectExtractHandler. The snowball auto-extract handler's switch rAuthType block has no case for authTypeStreamingUnsignedTrailer, so execution falls through with zero signature verification. The isPutActionAllowed call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature.

An attacker sends a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket.

Affected component: cmd/object-handlers.go, function PutObjectExtractHandler.

Vulnerability 2 — Signature verification bypass via query-string credentials

PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate based solely on the presence of the Authorization header:

newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")

Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the Authorization header and supplies credentials exclusively via the query string. The signature gate evaluates to false, doesSignatureMatch is never called, and the request proceeds with the permissions of the impersonated access key.

Affected components: cmd/object-handlers.go (PutObjectHandler), cmd/object-multipart-handlers.go (PutObjectPartHandler).

CVSS v4.0 Score: 8.8 (High)

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

CWE: CWE-306 (Missing Authentication for Critical Function), CWE-287 (Improper Authentication)

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

Both vulnerabilities were introduced in commit 76913a9fd ("Signed trailers for signature v4", PR #16484), which added authTypeStreamingUnsignedTrailer support. The first affected release is RELEASE.2023-05-18T00-05-36Z.

Patches

Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z

Binary Downloads

Platform	Architecture	Download
Linux	amd64	minio
Linux	arm64	minio
macOS	arm64	minio
macOS	amd64	minio
Windows	amd64	minio.exe

FIPS Binaries

Platform	Architecture	Download
Linux	amd64	minio.fips
Linux	arm64	minio.fips

Package Downloads

Format	Architecture	Download
DEB	amd64	[minio 20260411032012.0.0 amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio 20260411032012.0.0 amd64.deb)
DEB	arm64	[minio 20260411032012.0.0 arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio 20260411032012.0.0 arm64.deb)
RPM	amd64	[minio-20260411032012.0.0-1.x86 64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86 64.rpm)
RPM	arm64	minio-20260411032012.0.0-1.aarch64.rpm

Container Images

bash

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips

Homebrew (macOS)

bash

brew install minio/aistor/minio

Workarounds

Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later.

If upgrading is not immediately possible:

Block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead.
Restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

Credits

Finder: Arvin Shivram of Brutecat Security (@ddd)

References

Introducing commit: 76913a9fd (PR #16484)
MinIO AIStor

Fix

Improper Authentication

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-306

Related Identifiers

GHSA-9C4Q-HQ6P-C237

Affected Products

Github.Com/Minio/Minio