Platform
go
Component
minio
Fixed in
2023.0.1
CVE-2026-41145 describes an authentication bypass vulnerability within MinIO, a popular object storage server. This flaw allows attackers with a valid access key to write arbitrary objects to any bucket, effectively bypassing the need for the secret key or a cryptographic signature. The vulnerability impacts MinIO deployments running versions between 2023-05-18T00-05-36Z (inclusive) and 2026-04-11T03-20-12Z (exclusive). A fix has been released in version 2026-04-11T03-20-12Z.
The impact of CVE-2026-41145 is significant due to its ease of exploitation and potential for widespread data compromise. An attacker only requires a valid access key, which could be the default minioadmin key or any key with write permissions on a bucket, and the target bucket name. This allows them to upload malicious files, overwrite existing data, or even inject code into applications relying on MinIO for storage. The blast radius extends to any data stored within the affected MinIO buckets, potentially exposing sensitive information such as user data, financial records, or intellectual property. This vulnerability shares similarities with other object storage bypasses where improper signature validation leads to unauthorized access.
CVE-2026-41145 was publicly disclosed on 2026-04-22. Its exploitation probability is considered medium due to the relative ease of exploitation and the widespread use of MinIO. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's simplicity suggests that a PoC is likely to emerge. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
The primary mitigation for CVE-2026-41145 is to upgrade MinIO to version 2026-04-11T03-20-12Z or later. Before upgrading, it's crucial to review the MinIO release notes for any potential breaking changes and test the upgrade in a non-production environment. If an immediate upgrade is not feasible, consider implementing stricter access controls to limit the scope of potential damage. Revoke or rotate any keys with overly permissive access. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to inspect and filter object upload requests could provide an additional layer of defense. Monitor MinIO logs for suspicious activity, particularly unauthorized object creation or modification.
Update to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If an immediate update is not possible, block unsigned-trailer requests at the load balancer or WAF, or restrict write permissions to users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41145 is an authentication bypass vulnerability in MinIO allowing attackers with a valid access key to write arbitrary objects to any bucket without a signature.
You are affected if you are running MinIO versions between 2023-05-18T00-05-36Z (inclusive) and 2026-04-11T03-20-12Z (exclusive).
Upgrade MinIO to version 2026-04-11T03-20-12Z or later. Review release notes and test the upgrade before deploying to production.
While no public exploits are currently known, the vulnerability's simplicity suggests exploitation is likely.
Refer to the official MinIO security advisory for CVE-2026-41145 on the MinIO website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.