{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/minio/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["minio","authentication-bypass","object-storage"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMinIO is susceptible to two authentication bypass vulnerabilities affecting all deployments up to AIStor RELEASE.2026-04-11T03-20-12Z. The vulnerability lies within the \u003ccode\u003eSTREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e code path. An attacker possessing a valid access key (including the default \u003ccode\u003eminioadmin\u003c/code\u003e or any key with WRITE permissions) can exploit these flaws to write arbitrary objects to any bucket. This bypass eliminates the need for the secret key or a valid cryptographic signature. One vulnerability involves missing signature verification in \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e, while the other bypasses signature verification using query-string credentials. These issues stem from the introduction of \u003ccode\u003eauthTypeStreamingUnsignedTrailer\u003c/code\u003e support in commit 76913a9fd, specifically impacting releases from RELEASE.2023-05-18T00-05-36Z onwards.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid MinIO access key, either through default credentials or compromised accounts.\u003c/li\u003e\n\u003cli\u003eFor vulnerability 1, the attacker crafts a PUT request with \u003ccode\u003eX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e, \u003ccode\u003eX-Amz-Meta-Snowball-Auto-Extract: true\u003c/code\u003e, and an \u003ccode\u003eAuthorization\u003c/code\u003e header containing the valid access key but a fabricated signature.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the MinIO server\u0026rsquo;s \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the missing signature verification in the \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e, the request proceeds without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe server extracts the access key and checks IAM permissions via \u003ccode\u003eisPutActionAllowed\u003c/code\u003e, but the fabricated signature is not validated.\u003c/li\u003e\n\u003cli\u003eThe server accepts the request, and the attacker-controlled payload is extracted into the target bucket.\u003c/li\u003e\n\u003cli\u003eFor vulnerability 2, the attacker crafts a PUT or PUT Part request omitting the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker includes authentication credentials (access key) exclusively via the \u003ccode\u003eX-Amz-Credential\u003c/code\u003e query parameter. Since the \u003ccode\u003eAuthorization\u003c/code\u003e header is missing, signature verification is skipped, and the request proceeds with the permissions of the impersonated access key, allowing the attacker to write arbitrary objects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows unauthorized users to modify objects within MinIO storage buckets, potentially leading to data breaches, service disruptions, or the injection of malicious content. Any MinIO deployment is affected, creating a widespread risk for organizations relying on MinIO for their storage infrastructure. The CVSS v4.0 score of 8.8 (High) highlights the severity and potential impact of these vulnerabilities. The number of victims depends on the adoption rate of vulnerable MinIO versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version \u003ccode\u003eRELEASE.2026-04-11T03-20-12Z\u003c/code\u003e or later, as indicated in the \u003ca href=\"https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/\"\u003eMinIO AIStor documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a block at the load balancer or reverse proxy to reject any requests containing \u003ccode\u003eX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e, as mentioned in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MinIO Unsigned Payload Trailer\u003c/code\u003e to identify exploitation attempts based on the presence of the vulnerable header.\u003c/li\u003e\n\u003cli\u003eReview and restrict WRITE permissions (\u003ccode\u003es3:PutObject\u003c/code\u003e) to trusted principals to reduce the attack surface as described in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T00:05:52Z","date_published":"2026-04-14T00:05:52Z","id":"/briefs/2026-04-minio-auth-bypass/","summary":"Two authentication bypass vulnerabilities in MinIO allow writing arbitrary objects to any bucket with only a valid access key, without the secret key or valid signature, impacting all MinIO deployments.","title":"MinIO Unauthenticated Object Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-minio-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dos","minio","s3select"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMinIO, an open-source object storage server, is susceptible to a denial-of-service (DoS) vulnerability within its S3 Select functionality. This flaw, present since the introduction of S3 Select support in commit 7c14cdb60e53dbfdad2be644dfb180cab19fffa7 (included in releases since RELEASE.2018-08-18T03-49-57Z), stems from unbounded memory allocation when parsing CSV files. Any authenticated user possessing both \u003ccode\u003es3:PutObject\u003c/code\u003e and \u003ccode\u003es3:GetObject\u003c/code\u003e permissions can exploit this vulnerability by uploading a specially crafted CSV file lacking newline characters. A relatively small, gzip-compressed CSV file (around 2MB) can decompress into gigabytes of data, triggering excessive memory consumption and causing the MinIO server process to crash. Defenders should upgrade to MinIO AIStor RELEASE.2025-12-20T04-58-37Z or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the MinIO server with valid credentials, having both \u003ccode\u003es3:PutObject\u003c/code\u003e and \u003ccode\u003es3:GetObject\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious CSV file. This file intentionally lacks newline characters and may be compressed using gzip to maximize its impact.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious CSV file to a MinIO bucket using the \u003ccode\u003es3:PutObject\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker then sends an S3 Select \u003ccode\u003eGetObject\u003c/code\u003e request to the MinIO server, specifying the malicious CSV file as the target. This triggers the vulnerable CSV parsing logic.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enextSplit()\u003c/code\u003e function in \u003ccode\u003einternal/s3select/csv/reader.go\u003c/code\u003e attempts to read the CSV file line by line, using \u003ccode\u003ebufio.Reader.ReadBytes('\\n')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the absence of newline characters, the function reads the entire file into memory without any size limitation, leading to unbounded memory allocation.\u003c/li\u003e\n\u003cli\u003eThe excessive memory consumption leads to an out-of-memory (OOM) condition on the MinIO server.\u003c/li\u003e\n\u003cli\u003eThe MinIO server process crashes, resulting in a denial of service for all users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, rendering the MinIO server unavailable. The attacker can repeatedly trigger the vulnerability, causing prolonged disruption to the service. The vulnerability affects all MinIO deployments using versions RELEASE.2018-08-18T03-49-57Z up to RELEASE.2025-12-03T08-12-39Z. The number of affected installations is unknown. Sectors using MinIO for object storage are vulnerable. If successful, this attack could interrupt services reliant on the object storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version RELEASE.2025-12-20T04-58-37Z or later to remediate the vulnerability as documented in the advisory.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable S3 Select access via IAM policies, specifically denying \u003ccode\u003es3:GetObject\u003c/code\u003e actions or \u003ccode\u003eSelectObjectContent\u003c/code\u003e requests as described in the \u0026ldquo;Workarounds\u0026rdquo; section of the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor MinIO server resource consumption, particularly memory usage, to detect potential exploitation attempts. Deploy the provided Sigma rule to detect potential DoS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:32:31Z","date_published":"2026-04-09T17:32:31Z","id":"/briefs/2026-04-minio-dos/","summary":"MinIO's S3 Select feature is vulnerable to denial of service due to unbounded memory allocation when processing CSV files without newlines, leading to memory exhaustion and server crashes.","title":"MinIO S3 Select CSV Parsing Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-04-minio-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["minio","s3","metadata-injection","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA flaw in MinIO\u0026rsquo;s \u003ccode\u003eextractMetadataFromMime()\u003c/code\u003e function allows any authenticated user with \u003ccode\u003es3:PutObject\u003c/code\u003e permission to inject internal server-side encryption (SSE) metadata into objects. This is achieved by sending crafted \u003ccode\u003eX-Minio-Replication-*\u003c/code\u003e headers on a normal PutObject request. The MinIO server incorrectly maps these headers to \u003ccode\u003eX-Minio-Internal-*\u003c/code\u003e encryption metadata without validating if the request is a legitimate replication request. Objects written in this manner contain bogus encryption keys and become permanently unreadable through the S3 API. This vulnerability affects all MinIO releases up to the final release of the \u003ccode\u003eminio/minio\u003c/code\u003e open-source project, specifically versions introduced after commit \u003ccode\u003e468a9fae83e965ecefa1c1fdc2fc57b84ece95b0\u003c/code\u003e (included in \u003ccode\u003eRELEASE.2024-03-30T09-41-56Z\u003c/code\u003e). It was resolved in MinIO AIStor \u003ccode\u003eRELEASE.2026-03-26T21-24-40Z\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the MinIO server with valid credentials having \u003ccode\u003es3:PutObject\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PutObject request targeting a specific bucket and object key.\u003c/li\u003e\n\u003cli\u003eThe attacker includes \u003ccode\u003eX-Minio-Replication-Server-Side-Encryption-*\u003c/code\u003e headers in the PutObject request.\u003c/li\u003e\n\u003cli\u003eThe attacker omits the \u003ccode\u003eX-Minio-Source-Replication-Request\u003c/code\u003e header, which would normally indicate a legitimate replication request.\u003c/li\u003e\n\u003cli\u003eThe MinIO server\u0026rsquo;s \u003ccode\u003eextractMetadataFromMime()\u003c/code\u003e function incorrectly maps the crafted \u003ccode\u003eX-Minio-Replication-*\u003c/code\u003e headers to \u003ccode\u003eX-Minio-Internal-Server-Side-Encryption-*\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe server writes the object metadata, including the bogus encryption keys, to the object storage.\u003c/li\u003e\n\u003cli\u003eSubsequent GetObject or HeadObject requests for the modified object will fail because the server treats the object as encrypted with non-existent or incorrect keys.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves a targeted denial-of-service, rendering the object permanently unreadable via the S3 API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability enables a targeted denial-of-service attack. An attacker can selectively corrupt individual objects or entire buckets within a MinIO deployment. Successful exploitation results in permanent data loss, as affected objects become unreadable through the S3 API. This can disrupt critical services relying on the object storage and potentially impact a large number of users if entire buckets are targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version \u003ccode\u003eRELEASE.2026-03-26T21-24-40Z\u003c/code\u003e or later to patch the vulnerability as documented in the \u003ca href=\"https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/\"\u003erelease notes\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a reverse proxy or load balancer rule to drop or reject any request containing \u003ccode\u003eX-Minio-Replication-Server-Side-Encryption-*\u003c/code\u003e headers that does not also include \u003ccode\u003eX-Minio-Source-Replication-Request\u003c/code\u003e, mitigating the injection path as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM policies to limit \u003ccode\u003es3:PutObject\u003c/code\u003e grants to trusted principals only, reducing the attack surface as noted in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T22:26:05Z","date_published":"2026-03-27T22:26:05Z","id":"/briefs/2024-05-minio-metadata-injection/","summary":"A vulnerability in MinIO allows authenticated users with `s3:PutObject` permission to inject internal server-side encryption metadata into objects via crafted replication headers, leading to permanent data unreadability.","title":"MinIO SSE Metadata Injection via Replication Headers Leads to Data Unreadability","url":"https://feed.craftedsignal.io/briefs/2024-05-minio-metadata-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Minio","version":"https://jsonfeed.org/version/1.1"}