CVE-2026-40344
Received Received - Intake
Authentication Bypass in MinIO Snowball Handler Allows Arbitrary Writes

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40344
EUVD
EUVD-2026-24579
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
minio minio From 2023-05-18t00-05-36z (inc) to 2026-04-11T03-20-12Z (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an authentication bypass in MinIO's Snowball auto-extract handler (PutObjectExtractHandler). It allows any user who knows a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature.

The issue arises because when support for a new authentication type (authTypeStreamingUnsignedTrailer) was added, it was not properly handled in the PutObjectExtractHandler. This caused the signature verification to be skipped, allowing unauthorized write access.

An attacker can send a specially crafted PUT request with a valid access key but a fabricated signature, and the request will be accepted, enabling them to extract and write data into the target bucket.

All MinIO deployments from RELEASE.2023-05-18T00-05-36Z up to but not including RELEASE.2026-04-11T03-20-12Z are affected.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker with only a valid access key to write arbitrary objects to any bucket without proper cryptographic signature verification. This unauthorized data manipulation could lead to data integrity and confidentiality issues.

Such unauthorized access and data modification could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over data access, integrity, and protection.

However, the provided context does not explicitly mention the impact on compliance with these standards.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with only a valid access key to write arbitrary data to any bucket in your MinIO deployment without proper authorization.

Such unauthorized writes can lead to data corruption, unauthorized data injection, or overwriting of existing data, potentially disrupting services or compromising data integrity.

Because the attacker does not need the secret key or a valid signature, the attack surface is significantly increased, especially if default or weak access keys are in use.

Mitigations include upgrading to a fixed release, blocking unsigned-trailer requests at the load balancer or reverse proxy, or restricting WRITE permissions to trusted principals.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for PUT requests that contain the header "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER" along with the header "X-Amz-Meta-Snowball-Auto-Extract: true". Such requests indicate attempts to exploit the authentication bypass in the Snowball auto-extract handler.

To detect these on your system or network, you can use network monitoring or log inspection tools to filter for these specific headers in incoming requests.

  • Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for the header "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER".
  • On the server, inspect access logs for PUT requests containing "X-Amz-Meta-Snowball-Auto-Extract: true" and the unsigned payload trailer header.
  • Example command to search logs: grep -i 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' /path/to/access.log
  • Example tcpdump command to capture relevant traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading MinIO to RELEASE.2026-04-11T03-20-12Z or later, which contains the fix for this vulnerability.

If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer or reverse proxy level.

  • Reject any request containing the header "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER" at the reverse proxy or Web Application Firewall (WAF) layer.
  • Encourage clients to use the signed variant "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER" instead.
  • Restrict WRITE permissions by limiting s3:PutObject grants to trusted principals only, reducing the attack surface.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart