MinIO Authentication Bypass Lets Attackers Write Arbitrary Objects to Buckets
MinIO disclosed authentication bypass flaws in its STREAMING-UNSIGNED-PAYLOAD-TRAILER upload path that let an attacker with knowledge of a valid access key write arbitrary objects to any bucket without the corresponding secret key or a valid cryptographic signature. The issues affect releases from RELEASE.2023-05-18T00-05-36Z up to, but not including, RELEASE.2026-04-11T03-20-12Z, and were assigned a CVSS v4.0 score of 8.8. One tracked issue, CVE-2026-41145, abuses inconsistent credential handling by omitting the Authorization header and supplying credentials through X-Amz-Credential, allowing requests to bypass signature verification in PutObjectHandler and PutObjectPartHandler across standard, warehouse, and multipart upload paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-41145 entry details query-string credential signature bypass
A CVE entry for `CVE-2026-41145` documented the MinIO query-string credential signature bypass in unsigned-trailer uploads, clarifying that deployments before `RELEASE.2026-04-11T03-20-12Z` were affected. It described how omitting the `Authorization` header and supplying `X-Amz-Credential` could bypass signature checks in object and multipart upload handlers.
MinIO publicly discloses two unauthenticated object-write vulnerabilities
MinIO published a security advisory describing two high-severity flaws in the unsigned-trailer upload path, including one in Snowball auto-extract handling and another affecting `PutObjectHandler` and `PutObjectPartHandler` when credentials are supplied via query string. The advisory rated the issues CVSS v4.0 8.8 and recommended upgrading, blocking `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, and restricting write permissions.
MinIO fixes unsigned-trailer authentication bypass flaws in AIStor
MinIO fixed two authentication bypass vulnerabilities affecting `STREAMING-UNSIGNED-PAYLOAD-TRAILER` uploads in AIStor `RELEASE.2026-04-11T03-20-12Z`. The fixes addressed missing or bypassed signature verification that could let an attacker with a valid access key write arbitrary objects without the secret key.
MinIO introduces unsigned-trailer auth code path in affected releases
MinIO's vulnerable `authTypeStreamingUnsignedTrailer` support was introduced in commit `76913a9fd`, and the affected release range begins with `RELEASE.2023-05-18T00-05-36Z`. This change created the code paths later found to allow unauthenticated object writes under certain conditions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-41145 - MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads
cvefeed.io
Open sourceUnauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads · Advisory · minio/minio · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. **CVE-2026-33322** affects OpenID Connect authentication in versions from `RELEASE.2022-11-08T05-27-07Z` through versions before `RELEASE.2026-03-17T21-25-16Z`, where a JWT algorithm confusion issue allows an attacker who knows the OIDC `ClientSecret` to forge identity tokens and obtain S3 credentials with arbitrary policies, including `consoleAdmin`. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments. A second issue, **CVE-2026-33419**, affects the STS `AssumeRoleWithLDAPIdentity` endpoint in MinIO AIStor before `RELEASE.2026-03-17T21-25-16Z`. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in `RELEASE.2026-03-17T21-25-16Z`.
Mar 24, 2026
MinIO Flaws Enable Security Bypass and Information Disclosure
German authorities issued advisories for multiple **MinIO** vulnerabilities that can bypass security controls, with one notice also warning of **information disclosure**. The advisories identify weaknesses in the object storage platform that could allow attackers to circumvent intended protections and expose sensitive data under certain conditions. A later advisory expanded the scope from a single issue to **multiple vulnerabilities** affecting MinIO, all tied to bypassing security measures. Organizations using MinIO should review the referenced advisories, identify affected deployments, and prioritize vendor fixes or mitigations to reduce the risk of unauthorized access and data exposure.
May 6, 2026
Docker Engine AuthZ Bypass Flaw Enables Host Access via Oversized API Requests
Docker disclosed a high-severity Docker Engine vulnerability, **CVE-2026-34040** (`CVSS 8.8`), that allows attackers to bypass authorization plugins and perform actions that should be blocked. The flaw stems from an incomplete fix for **CVE-2024-41110** and is triggered when a specially crafted oversized Docker API request causes the request body to be dropped before inspection by an AuthZ plugin. In affected environments, the plugin may approve container operations it would otherwise deny, opening a path to unauthorized privileged actions and potential host compromise. Researchers said an attacker with Docker API access could exploit the bug by padding a container-creation request beyond **1 MB** to launch a privileged container with access to the host filesystem, exposing sensitive assets such as **AWS credentials**, **SSH keys**, and **Kubernetes configurations**. The issue affects deployments that rely on authorization plugins inspecting request bodies, while environments not using those plugins are not impacted. Docker patched the vulnerability in **Docker Engine 29.3.1** and urged defenders to upgrade, restrict Docker API access, avoid AuthZ plugins that depend on request-body inspection, and use controls such as rootless mode, user namespace remapping, and least-privilege access to reduce risk.
Apr 8, 2026