Plattform
go
Komponente
minio
Behoben in
2023.0.1
CVE-2026-41145 describes an authentication bypass vulnerability within MinIO, a popular object storage server. This flaw allows attackers possessing a valid access key to write arbitrary objects to any bucket, effectively bypassing the need for the secret key or cryptographic signature. The vulnerability impacts MinIO deployments running versions between 2023-05-18T00-05-36Z (inclusive) and 2026-04-11T03-20-12Z (exclusive). A fix has been released in version 2026-04-11T03-20-12Z.
The impact of CVE-2026-41145 is severe due to the ease of exploitation and the potential for widespread data compromise. An attacker only needs a valid access key – which could be a default key like minioadmin or a key with WRITE permissions on a bucket – and the target bucket name to execute the attack. This bypass circumvents MinIO's intended security controls, allowing unauthorized modification or creation of objects within the storage system. The potential consequences include data corruption, malicious file uploads, and the introduction of backdoors. This vulnerability shares similarities with other object storage bypasses where improper signature validation or access control enforcement leads to unauthorized access.
CVE-2026-41145 was publicly disclosed on 2026-04-22. Its severity is pending evaluation by CVSS. There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a high-priority vulnerability. It is not currently listed on CISA KEV. Active campaigns are not yet confirmed, but the vulnerability's simplicity suggests it could become a target for opportunistic attackers.
Organizations utilizing MinIO for object storage, particularly those using the default minioadmin access key or those with overly permissive access controls, are at significant risk. Shared hosting environments where multiple users share MinIO buckets are also particularly vulnerable, as a compromised user account could be leveraged to exploit this vulnerability.
• linux / server:
journalctl -u minio -g 'STREAMING-UNSIGNED-PAYLOAD-TRAILER'• generic web:
curl -I https://<minio_endpoint>/<bucket_name>/<object_name> -H "X-Minio-Access-Key: <valid_access_key>" -H "X-Minio-Signature: "• linux / server:
lsof -i :9000 | grep miniodisclosure
patch
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-41145 is to immediately upgrade MinIO to version 2026-04-11T03-20-12Z or later. If an immediate upgrade is not feasible, consider temporarily restricting access to sensitive buckets and reviewing existing access keys for potential compromise. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to inspect and block requests lacking valid signatures can provide a temporary layer of defense. Monitor MinIO logs for unusual object creation or modification activity, particularly from unexpected sources. After upgrading, confirm the fix by attempting to create an object in a sensitive bucket using an access key without the corresponding secret key; the operation should fail with an authentication error.
Aktualisieren Sie auf MinIO AIStor RELEASE.2026-04-11T03-20-12Z oder später. Wenn ein sofortiges Update nicht möglich ist, blockieren Sie unsigned-trailer-Anfragen im Load Balancer oder WAF oder beschränken Sie die Schreibberechtigungen für Benutzer.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-41145 is an authentication bypass vulnerability in MinIO allowing attackers with a valid access key to write arbitrary objects to any bucket without a signature.
You are affected if you are running MinIO versions between 2023-05-18T00-05-36Z (inclusive) and 2026-04-11T03-20-12Z (exclusive).
Upgrade MinIO to version 2026-04-11T03-20-12Z or later. Review release notes and test the upgrade before deploying to production.
While no public exploits are currently known, the vulnerability's simplicity suggests exploitation is likely.
Refer to the official MinIO security advisory for CVE-2026-41145 on the MinIO website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.