Authentication Bypass in MinIO Object Storage System
CVE-2026-41145

8.8HIGH

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
22 April 2026

What is CVE-2026-41145?

An authentication bypass vulnerability in MinIO's object storage system allows users with a valid access key to write arbitrary objects to any bucket without needing the secret key or a valid cryptographic signature. This flaw exploits the 'STREAMING-UNSIGNED-PAYLOAD-TRAILER' code path, enabling attackers to perform malicious actions simply by knowing a valid access key. The vulnerability impacts every MinIO deployment, as it allows unauthorized users to leverage their permissions, making it critical for users to update to the latest version or apply necessary workarounds.

Affected Version(s)

minio >= RELEASE.2023-05-18T00-05-36Z, < RELEASE.2026-04-11T03-20-12Z

References

https://github.com/minio/minio/security/advisories/GHSA-h...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/16484
x_refsource_MISC
https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.