Plattform
go
Komponente
minio
Behoben in
2023.0.1
CVE-2026-40344 describes two authentication bypass vulnerabilities discovered in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. These vulnerabilities allow unauthorized users with a valid access key to write arbitrary objects to any bucket, effectively bypassing the need for a secret key or cryptographic signature. The affected versions include those released before 2026-04-11T03-20-12Z. A fix has been released in version 2026-04-11T03-20-12Z.
The impact of CVE-2026-40344 is significant, as it allows any user possessing a valid access key (such as the default minioadmin or any key with WRITE permissions) to compromise data integrity within MinIO deployments. Attackers can overwrite existing objects, inject malicious files, or even completely replace critical data with arbitrary content. This vulnerability effectively bypasses the intended security controls, granting unauthorized write access to sensitive data stored within MinIO buckets. The attack requires minimal effort, only a valid access key and a target bucket name, making it easily exploitable. This is similar to scenarios where default credentials are used in cloud storage services, leading to widespread data breaches.
CVE-2026-40344 was publicly disclosed on 2026-04-22. The vulnerability's ease of exploitation and the potential for widespread impact suggest a medium to high probability of exploitation. There are currently no known public proof-of-concept exploits, but the simplicity of the attack vector makes it likely that exploits will emerge. This vulnerability has not yet been added to the CISA KEV catalog, but its severity warrants close monitoring. Further investigation is needed to determine if this vulnerability is being actively exploited in the wild.
Organizations utilizing MinIO for object storage, particularly those using the default minioadmin access key or those with overly permissive access key configurations, are at significant risk. Shared hosting environments where multiple users share access keys are especially vulnerable. Legacy MinIO deployments that have not been regularly updated are also at increased risk.
• linux / server:
journalctl -u minio -g 'signature verification failed'• generic web:
curl -I <minio_endpoint>/<bucket_name>/<object_name> # Check for unexpected response codes or headers indicating unauthorized access• linux / server:
lsof -i :9000 | grep minio # Check for MinIO processes listening on the default portdisclosure
patch
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-40344 is to immediately upgrade MinIO to version 2026-04-11T03-20-12Z or later. If upgrading is not immediately feasible, consider temporarily restricting access to sensitive buckets and implementing stricter access control policies. Review and rotate all access keys, especially the default minioadmin key, to revoke any potentially compromised credentials. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to monitor for unusual object write activity and alert administrators. Implement robust logging and monitoring to detect any unauthorized object modifications. After upgrading, confirm the fix by attempting to write an object to a protected bucket with a non-administrative access key; the operation should fail with an authentication error.
Aktualisieren Sie auf MinIO AIStor RELEASE.2026-04-11T03-20-12Z oder später. Wenn ein sofortiges Update nicht möglich ist, blockieren Sie unsignierte Trailer-Anfragen am Load Balancer oder Reverse Proxy oder beschränken Sie die Schreibberechtigungen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40344 is an authentication bypass vulnerability in MinIO allowing unauthorized object writes with a valid access key, impacting versions 2023-05-18T00-05-36Z and prior to 2026-04-11T03-20-12Z.
If you are running MinIO versions between 2023-05-18T00-05-36Z and 2026-04-11T03-20-12Z, you are potentially affected by this vulnerability.
Upgrade MinIO to version 2026-04-11T03-20-12Z or later to remediate the vulnerability. Assess upgrade impact beforehand.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/docs/security-advisories/](https://docs.min.io/docs/security-advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.