GHSA-HV4R-MVR4-25VW

Vulnerability from github – Published: 2026-04-14 23:40 – Updated: 2026-04-14 23:40
VLAI?
Summary
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads
Details

Impact

What kind of vulnerability is it? Who is impacted?

An authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature.

Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.

PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate based solely on the presence of the Authorization header:

newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")

Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the Authorization header and supplies credentials exclusively via the query string. The signature gate evaluates to false, doesSignatureMatch is never called, and the request proceeds with the permissions of the impersonated access key.

This affects PutObjectHandler (standard and tables/warehouse bucket paths) and PutObjectPartHandler (multipart uploads).

Affected components: cmd/object-handlers.go (PutObjectHandler), cmd/object-multipart-handlers.go (PutObjectPartHandler).

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit 76913a9fd ("Signed trailers for signature v4", PR #16484), which added authTypeStreamingUnsignedTrailer support. The first affected release is RELEASE.2023-05-18T00-05-36Z.

Patches

Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Format Architecture Download
DEB amd64 minio_20260411032012.0.0_amd64.deb
DEB arm64 minio_20260411032012.0.0_arm64.deb
RPM amd64 minio-20260411032012.0.0-1.x86_64.rpm
RPM arm64 minio-20260411032012.0.0-1.aarch64.rpm

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

  • Block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead.

  • Restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

Credits

  • Finder: Arvin Shivram of Brutecat Security (@ddd)
Severity ?
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20230506025312-76913a9fd5c6"
            },
            {
              "last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:40:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nAn authentication bypass vulnerability in MinIO\u0027s `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallows any user who knows a valid access key to write arbitrary objects to any bucket without knowing\nthe secret key or providing a valid cryptographic signature.\n\nAny MinIO deployment is impacted. The attack requires only a valid access key (the well-known default\n`minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name.\n\n`PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature\nverification gate based solely on the presence of the `Authorization` header:\n\n```go\nnewUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != \"\")\n```\n\nMeanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the\n`Authorization` header and supplies credentials exclusively via the query string. The signature gate\nevaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the\npermissions of the impersonated access key.\n\nThis affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and\n`PutObjectPartHandler` (multipart uploads).\n\n**Affected components:** `cmd/object-handlers.go` (`PutObjectHandler`),\n`cmd/object-multipart-handlers.go` (`PutObjectPartHandler`).\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit\n[`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091)\n(\"Signed trailers for signature v4\", [PR #16484](https://github.com/minio/minio/pull/16484)),\nwhich added `authTypeStreamingUnsignedTrailer` support. The first affected release is\n`RELEASE.2023-05-18T00-05-36Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-04-11T03-20-12Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio)           |\n| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio)           |\n| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio)          |\n| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio)          |\n| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download                                                                                                                            |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB    | amd64        | [minio_20260411032012.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260411032012.0.0_amd64.deb)         |\n| DEB    | arm64        | [minio_20260411032012.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260411032012.0.0_arm64.deb)         |\n| RPM    | amd64        | [minio-20260411032012.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86_64.rpm)   |\n| RPM    | arm64        | [minio-20260411032012.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260411032012.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Block unsigned-trailer requests at the load balancer.** Reject any request containing\n  `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer.\n  Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead.\n\n- **Restrict WRITE permissions.** Limit `s3:PutObject` grants to trusted principals. While this\n  reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE\n  permission can exploit it with only their access key.\n\n### Credits\n\n- **Finder:** Arvin Shivram of Brutecat Security ([@ddd](https://github.com/ddd))",
  "id": "GHSA-hv4r-mvr4-25vw",
  "modified": "2026-04-14T23:40:05Z",
  "published": "2026-04-14T23:40:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.