CVE-2026-42600

Name of the Vulnerable Software and Affected Versions MinIO versions RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z

Description A path traversal issue in the ReadMultiple internode storage-REST endpoint allows an attacker with the cluster root JWT to read files outside the configured drive roots. This affects distributed-erasure (multi-node) deployments, while single-node standalone deployments are not affected. The attack requires an HS512 JWT signed with MINIO ROOT PASSWORD and the accessKey set to MINIO ROOT USER.

The issue occurs because the ReadMultiple handler in cmd/storage-rest-server.go forwards the Bucket, Prefix, and Files fields from a msgpack-encoded ReadMultipleReq body to xlStorage.ReadMultiple in cmd/xl-storage.go without validation. The pathJoin function resolves .. components, allowing access to any path on the filesystem accessible by the MinIO process UID. An attacker can trigger this by sending a POST request to '/minio/storage/{drivePath}/v63/rmpl' with traversal sequences in the Bucket field.

Impact varies by deployment: on bare-metal systems, access is limited to files owned by the MinIO UID (e.g., TLS private keys, KMS/KES key material); in containerized environments running as UID 0, it allows arbitrary host-filesystem disclosure, including /etc/shadow and Kubernetes service-account tokens.

Recommendations Upgrade to MinIO AIStor version RELEASE.2024-10-23T19-38-07Z or later. Rotate the root credential and restrict its distribution to prevent unauthorized JWT minting. Configure MinIO containers to run as a non-root user by setting securityContext.runAsNonRoot: true or using the --user flag in Docker. Use the --internode-port flag to isolate internode traffic on a separate interface and block that interface from client networks.