CVE-2026-40344

Description

### Impact Two authentication bypass vulnerabilities in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allow any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. There are two vulnerabilities: 1. Missing Signature Verification in PutObjectExtractHandler / Snowball (CWE-306) 2. Signature Verification Bypass via Query-String Credentials (CWE-287) **Vulnerability 1 — Missing signature verification in PutObjectExtractHandler (Snowball)** When `authTypeStreamingUnsignedTrailer` support was added (commit 76913a9fd, PR #16484), the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. **Affected component:** `cmd/object-handlers.go`, function `PutObjectExtractHandler`. **Vulnerability 2 — Signature verification bypass via query-string credentials** `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header: ```go newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "") ``` Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. **Affected components:** `cmd/object-handlers.go` (`PutObjectHandler`), `cmd/object-multipart-handlers.go` (`PutObjectPartHandler`). **CVSS v4.0 Score:** 8.8 (High) **Vector:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N` **CWE:** CWE-306 (Missing Authentication for Critical Function), CWE-287 (Improper Authentication) ### Affected Versions All MinIO releases through the final release of the minio/minio open-source project. Both vulnerabilities were introduced in commit [`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091) ("Signed trailers for signature v4", [PR #16484](https://github.com/minio/minio/pull/16484)), which added `authTypeStreamingUnsignedTrailer` support. The first affected release is `RELEASE.2023-05-18T00-05-36Z`. ### Patches **Fixed in**: MinIO AIStor RELEASE.2026-04-11T03-20-12Z #### Binary Downloads | Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) | | Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) | | macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) | | macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) | | Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) | #### FIPS Binaries | Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) | | Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) | #### Package Downloads | Format | Architecture | Download | | ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | | DEB | amd64 | [minio_20260411032012.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260411032012.0.0_amd64.deb) | | DEB | arm64 | [minio_20260411032012.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260411032012.0.0_arm64.deb) | | RPM | amd64 | [minio-20260411032012.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86_64.rpm) | | RPM | arm64 | [minio-20260411032012.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260411032012.0.0-1.aarch64.rpm) | #### Container Images ```bash # Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z # FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips ``` #### Homebrew (macOS) ```bash brew install minio/aistor/minio ``` ### Workarounds - [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/) If upgrading is not immediately possible: - **Block unsigned-trailer requests at the load balancer.** Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. - **Restrict WRITE permissions.** Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key. ### Credits - **Finder:** Arvin Shivram of Brutecat Security ([@ddd](https://github.com/ddd)) ### References - Introducing commit: [`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091) ([PR #16484](https://github.com/minio/minio/pull/16484)) - [MinIO AIStor](https://min.io/aistor)

Affected packages (2)

• Bitnami/minio>= 2023.05.18
• Go/github.com/minio/minio>= 0.0.0-20230506025312-76913a9fd5c6, <= 0.0.0-20260212201848-7aac2a2c5b7c

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40344
• PATCHhttps://github.com/minio/minio
• WEBhttps://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091
• WEBhttps://github.com/minio/minio/pull/16484
• WEBhttps://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237