Platform
go
Component
minio
Fixed in
2023.0.1
CVE-2026-40344 describes two authentication bypass vulnerabilities discovered in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. These vulnerabilities allow unauthorized object writes to any bucket, significantly impacting data integrity and confidentiality. The issue affects MinIO versions released between 2023-05-18T00-05-36Z and 2026-04-11T03-20-12Z. A fix has been released in version 2026-04-11T03-20-12Z.
The impact of CVE-2026-40344 is severe. An attacker possessing a valid MinIO access key (such as the default minioadmin or a key with WRITE permissions) can exploit these vulnerabilities to write arbitrary objects to any bucket within the MinIO deployment. This allows for data corruption, data exfiltration, and potentially the injection of malicious code. The lack of signature verification means that even without knowing the secret key, an attacker can successfully upload data. This bypass effectively negates the security controls designed to protect data at rest. The attack requires minimal effort, only a valid access key and a target bucket name, making it easily exploitable.
CVE-2026-40344 was publicly disclosed on 2026-04-22. The vulnerability's simplicity and the ease of obtaining a valid access key suggest a potentially high probability of exploitation. There is currently no indication of active exploitation campaigns, but the lack of signature verification is a well-understood attack pattern. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40344 is to immediately upgrade MinIO to version 2026-04-11T03-20-12Z or later. Prior to upgrading, assess the potential impact of the upgrade on existing applications and workflows. If a direct upgrade is not feasible due to compatibility issues, consider rolling back to a previous, known-good version if possible. While a direct fix is the recommended approach, restricting access key permissions to the minimum required scope can reduce the potential blast radius of a successful attack. Monitor MinIO logs for suspicious activity, particularly unauthorized object creation events. Consider implementing a Web Application Firewall (WAF) to filter requests and block attempts to exploit the vulnerability, although this is not a substitute for patching.
Update to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If an immediate update is not possible, block unsigned trailer requests at the load balancer or reverse proxy, or restrict write permissions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40344 is an authentication bypass vulnerability in MinIO allowing unauthorized object writes with a valid access key, impacting versions 2023-05-18T00-05-36Z and prior to 2026-04-11T03-20-12Z.
If you are running MinIO versions between 2023-05-18T00-05-36Z and 2026-04-11T03-20-12Z, you are potentially affected by this vulnerability.
Upgrade MinIO to version 2026-04-11T03-20-12Z or later to remediate the vulnerability. Assess upgrade impact beforehand.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/docs/security-advisories/](https://docs.min.io/docs/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.