Authentication Bypass in MinIO Object Storage
CVE-2026-40344

8.8HIGH

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
22 April 2026

What is CVE-2026-40344?

MinIO's object storage system is affected by a vulnerability that allows users with valid access keys to write arbitrary objects to any bucket without secret key verification. This flaw arises from the mishandling of the PutObjectExtractHandler, which fails to check cryptographic signatures for a new authentication type introduced in an earlier update. Consequently, an attacker can exploit this vulnerability by sending unauthorized PUT requests, potentially compromising the integrity of stored data. Users are urged to upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later and to consider implementing security measures such as blocking unsigned-trailer requests at load balancers.

Affected Version(s)

minio >= RELEASE.2023-05-18T00-05-36Z, < RELEASE.2026-04-11T03-20-12Z

References

https://github.com/minio/minio/security/advisories/GHSA-9...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/16484
x_refsource_MISC
https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.