CVE-2026-41145
Authentication Bypass in MinIO Allows Arbitrary Object Writes
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| minio | minio | From 2023-05-18t00-05-36z (inc) to 2026-04-11T03-20-12Z (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. It allows any user who knows a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature.
The issue arises because the signature verification gate only checks for the presence of the Authorization header. An attacker can omit this header and supply credentials via the query string, bypassing signature verification and gaining write access with the permissions of the access key.
This affects the PutObjectHandler and PutObjectPartHandler functions, enabling unauthorized object uploads or multipart uploads to any bucket.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with only a valid access key to write arbitrary data to any bucket in a MinIO deployment without needing the secret key.
This unauthorized write access can lead to data tampering, data pollution, or injection of malicious content into object storage buckets.
Because the attacker does not need the secret key or a valid signature, the attack surface is significantly increased, especially if default or weak access keys are used.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves requests containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'. Detection can focus on identifying such requests in your network traffic or logs.
You can monitor HTTP requests to your MinIO deployment for the presence of the 'X-Amz-Content-Sha256' header with the value 'STREAMING-UNSIGNED-PAYLOAD-TRAILER'.
For example, using command-line tools like tcpdump or tshark to capture traffic and grep or similar tools to filter for this header might help detect exploit attempts.
- Use tcpdump to capture HTTP traffic on port 9000 (default MinIO port): tcpdump -A -s 0 'tcp port 9000' | grep 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'
- Check MinIO server access logs for requests containing 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later, which contains the fix for this vulnerability.
If upgrading immediately is not possible, block unsigned-trailer requests at your load balancer or reverse proxy.
- Reject any request containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' at the reverse proxy or WAF layer.
- Clients should use the signed variant 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER' instead.
- Restrict WRITE permissions by limiting 's3:PutObject' grants to trusted principals to reduce the attack surface.
Can you explain this vulnerability to me?
This vulnerability affects MinIO, a high-performance object storage system. It is an authentication bypass issue in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that allows any user who knows a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature.
The problem arises because the system trusts credentials provided either in the Authorization header or the X-Amz-Credential query parameter. An attacker can omit the Authorization header and supply credentials only via the query string, causing the signature verification to be skipped and the request to proceed with the permissions of the access key.
This affects handlers responsible for object uploads, allowing unauthorized writes if the attacker has a valid access key with WRITE permissions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with only a valid access key to write arbitrary objects to any bucket in a MinIO deployment without needing the secret key or a valid signature.
This means unauthorized data can be uploaded, potentially leading to data corruption, unauthorized data injection, or storage abuse.
Since the attack requires only WRITE permission, any user with such permission can exploit this flaw, increasing the risk of unauthorized modifications.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later.
If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer or reverse proxy.
- Reject any request containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' at the reverse proxy or WAF layer.
Clients should use the signed variant 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER' instead.
Alternatively, restrict WRITE permissions by limiting 's3:PutObject' grants to trusted principals, although this does not fully eliminate the vulnerability.
Can you explain this vulnerability to me?
This vulnerability affects MinIO, a high-performance object storage system. It is an authentication bypass in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that allows any user who knows a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature.
The issue arises because the system trusts credentials provided either in the Authorization header or the X-Amz-Credential query parameter. An attacker can omit the Authorization header and supply credentials only via the query string, bypassing signature verification and gaining write access with just the access key.
This affects handlers responsible for object uploads, allowing unauthorized writes to buckets. The vulnerability impacts all MinIO deployments starting from RELEASE.2023-05-18T00-05-36Z up to but not including RELEASE.2026-04-11T03-20-12Z.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with only a valid access key to write arbitrary objects to any bucket in a MinIO deployment without needing the secret key or a valid signature.
This means unauthorized users can upload potentially malicious or unwanted data, overwrite existing data, or otherwise manipulate stored objects, leading to data integrity issues, storage abuse, or service disruption.
Because the attack requires only a valid access key with WRITE permission, even users with limited privileges can exploit this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying requests that use the STREAMING-UNSIGNED-PAYLOAD-TRAILER signature without a valid Authorization header but include credentials in the query string.
Specifically, you can monitor network traffic or logs for HTTP requests to your MinIO server that contain the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' while lacking an Authorization header.
Commands or methods to detect such activity could include using tools like tcpdump or Wireshark to capture traffic and grep or similar tools to filter for the suspicious header.
- tcpdump -A -s 0 'tcp port 9000' | grep 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'
- grep -r 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' /var/log/minio-access.log
Additionally, checking for requests that omit the Authorization header but include 'X-Amz-Credential' in the query string can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading MinIO to RELEASE.2026-04-11T03-20-12Z or later, which contains the fix for this vulnerability.
If upgrading is not immediately possible, you should block unsigned-trailer requests at the load balancer or reverse proxy level.
- Reject any request containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' at the reverse proxy or WAF.
- Clients should be configured to use the signed variant 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER' instead.
Additionally, restrict WRITE permissions by limiting s3:PutObject grants to trusted principals only, reducing the attack surface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with only a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature. This unauthorized write access could lead to data integrity and confidentiality issues.
Such unauthorized access and potential data manipulation or injection could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality.
Organizations using affected MinIO versions might face increased risk of non-compliance due to the inability to fully enforce access controls and protect sensitive data from unauthorized modification.
Can you explain this vulnerability to me?
This vulnerability affects MinIO, a high-performance object storage system. It is an authentication bypass issue in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path that allows any user who knows a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature.
The problem arises because the system trusts credentials supplied either via the Authorization header or the X-Amz-Credential query parameter. An attacker can omit the Authorization header and supply credentials only via the query string, bypassing signature verification and gaining write access with just the access key.
This affects the PutObjectHandler and PutObjectPartHandler functions, enabling unauthorized object uploads. The vulnerability impacts all MinIO deployments starting from RELEASE.2023-05-18T00-05-36Z up to but not including RELEASE.2026-04-11T03-20-12Z.
How can this vulnerability impact me? :
This vulnerability allows an attacker with only a valid access key to write arbitrary objects to any bucket in a MinIO deployment without needing the secret key or a valid signature.
- Unauthorized data uploads or modifications in your object storage.
- Potential data integrity issues due to malicious or unintended object writes.
- Increased risk of data corruption or storage abuse.
- Exposure to further attacks leveraging the ability to write arbitrary objects.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later.
If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer or reverse proxy by rejecting any request containing the header 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'.
Clients should use the signed variant 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER' instead.
Alternatively, restrict WRITE permissions by limiting 's3:PutObject' grants to trusted principals, although this does not fully eliminate the vulnerability.
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. It allows any user who knows a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature.
The issue arises because the signature verification gate only checks for the presence of the Authorization header. An attacker can omit this header and supply credentials via the query string, bypassing signature verification and gaining write access with the permissions of the access key.
This affects the PutObjectHandler and PutObjectPartHandler functions, enabling unauthorized object uploads to any bucket.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with only a valid access key to write arbitrary data to any bucket in a MinIO deployment without proper authorization.
Such unauthorized writes can lead to data corruption, data poisoning, or unauthorized data injection, potentially disrupting services or compromising data integrity.
Because the attacker does not need the secret key or a valid signature, the attack surface is significantly increased, especially if default or weak access keys are in use.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for requests that contain the header "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER" which indicates the use of the vulnerable unsigned payload streaming method.
You can inspect network traffic or logs for such requests to identify potential exploitation attempts.
For example, using command-line tools like tcpdump or tshark to filter HTTP requests with this header could help detect suspicious activity.
- tcpdump -A -s 0 'tcp port 9000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER'
- tshark -Y 'http.header contains "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER"' -T fields -e http.host -e http.request.uri
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade MinIO to RELEASE.2026-04-11T03-20-12Z or later, which contains the fix for this vulnerability.
If upgrading immediately is not possible, block requests containing the header "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER" at the load balancer, reverse proxy, or WAF layer.
Clients should be configured to use the signed variant "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER" instead of the vulnerable unsigned variant.
Additionally, restrict WRITE permissions by limiting s3:PutObject grants to trusted principals only, reducing the attack surface.
Note that restricting WRITE permissions reduces but does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.