CVE-2026-42600
Path Traversal in MinIO Object Storage
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| minio | minio | From 2022-07-24T01-54-52Z (inc) to 2026-04-14T21-32-45Z (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in MinIO RELEASE.2026-04-14T21-32-45Z. To mitigate this vulnerability, you should upgrade your MinIO installation to this release or a later version.
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue in MinIO's ReadMultiple internode storage-REST endpoint. It allows an attacker who has the cluster root JWT to read files outside the configured drive roots by sending a specially crafted POST request with path traversal sequences (../) in the Bucket field. The server then opens and returns the contents of these files, potentially exposing sensitive data.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with cluster root JWT access to read arbitrary files on the MinIO server outside of the intended storage areas. This could lead to unauthorized disclosure of sensitive information, data leakage, and compromise of system confidentiality.