https://feed.craftedsignal.io/tags/minio/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 14 Apr 2026 00:05:52 +0000https://feed.craftedsignal.io/briefs/2026-04-minio-auth-bypass/Tue, 14 Apr 2026 00:05:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-minio-auth-bypass/Two authentication bypass vulnerabilities in MinIO allow writing arbitrary objects to any bucket with only a valid access key, without the secret key or valid signature, impacting all MinIO deployments.MinIO is susceptible to two authentication bypass vulnerabilities affecting all deployments up to AIStor RELEASE.2026-04-11T03-20-12Z. The vulnerability lies within the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. An attacker possessing a valid access key (including the default minioadmin or any key with WRITE permissions) can exploit these flaws to write arbitrary objects to any bucket. This bypass eliminates the need for the secret key or a valid cryptographic signature. One vulnerability involves missing signature verification in PutObjectExtractHandler, while the other bypasses signature verification using query-string credentials. These issues stem from the introduction of authTypeStreamingUnsignedTrailer support in commit 76913a9fd, specifically impacting releases from RELEASE.2023-05-18T00-05-36Z onwards.

Attack Chain

1. Attacker obtains a valid MinIO access key, either through default credentials or compromised accounts.
2. For vulnerability 1, the attacker crafts a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing the valid access key but a fabricated signature.
3. The request is sent to the MinIO server’s PutObjectExtractHandler endpoint.
4. Due to the missing signature verification in the PutObjectExtractHandler, the request proceeds without proper authentication.
5. The server extracts the access key and checks IAM permissions via isPutActionAllowed, but the fabricated signature is not validated.
6. The server accepts the request, and the attacker-controlled payload is extracted into the target bucket.
7. For vulnerability 2, the attacker crafts a PUT or PUT Part request omitting the Authorization header.
8. The attacker includes authentication credentials (access key) exclusively via the X-Amz-Credential query parameter. Since the Authorization header is missing, signature verification is skipped, and the request proceeds with the permissions of the impersonated access key, allowing the attacker to write arbitrary objects.

Impact

Successful exploitation of these vulnerabilities allows unauthorized users to modify objects within MinIO storage buckets, potentially leading to data breaches, service disruptions, or the injection of malicious content. Any MinIO deployment is affected, creating a widespread risk for organizations relying on MinIO for their storage infrastructure. The CVSS v4.0 score of 8.8 (High) highlights the severity and potential impact of these vulnerabilities. The number of victims depends on the adoption rate of vulnerable MinIO versions.

Recommendation

• Upgrade to MinIO AIStor version RELEASE.2026-04-11T03-20-12Z or later, as indicated in the MinIO AIStor documentation.
• Implement a block at the load balancer or reverse proxy to reject any requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, as mentioned in the Workarounds section.
• Deploy the Sigma rule Detect MinIO Unsigned Payload Trailer to identify exploitation attempts based on the presence of the vulnerable header.
• Review and restrict WRITE permissions (s3:PutObject) to trusted principals to reduce the attack surface as described in the Workarounds section.

]]>highadvisoryminioauthentication-bypassobject-storagehttps://feed.craftedsignal.io/briefs/2026-04-minio-dos/Thu, 09 Apr 2026 17:32:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-minio-dos/MinIO's S3 Select feature is vulnerable to denial of service due to unbounded memory allocation when processing CSV files without newlines, leading to memory exhaustion and server crashes.MinIO, an open-source object storage server, is susceptible to a denial-of-service (DoS) vulnerability within its S3 Select functionality. This flaw, present since the introduction of S3 Select support in commit 7c14cdb60e53dbfdad2be644dfb180cab19fffa7 (included in releases since RELEASE.2018-08-18T03-49-57Z), stems from unbounded memory allocation when parsing CSV files. Any authenticated user possessing both s3:PutObject and s3:GetObject permissions can exploit this vulnerability by uploading a specially crafted CSV file lacking newline characters. A relatively small, gzip-compressed CSV file (around 2MB) can decompress into gigabytes of data, triggering excessive memory consumption and causing the MinIO server process to crash. Defenders should upgrade to MinIO AIStor RELEASE.2025-12-20T04-58-37Z or later.

Attack Chain

1. An attacker authenticates to the MinIO server with valid credentials, having both s3:PutObject and s3:GetObject permissions.
2. The attacker crafts a malicious CSV file. This file intentionally lacks newline characters and may be compressed using gzip to maximize its impact.
3. The attacker uploads the malicious CSV file to a MinIO bucket using the s3:PutObject permission.
4. The attacker then sends an S3 Select GetObject request to the MinIO server, specifying the malicious CSV file as the target. This triggers the vulnerable CSV parsing logic.
5. The nextSplit() function in internal/s3select/csv/reader.go attempts to read the CSV file line by line, using bufio.Reader.ReadBytes('\n').
6. Due to the absence of newline characters, the function reads the entire file into memory without any size limitation, leading to unbounded memory allocation.
7. The excessive memory consumption leads to an out-of-memory (OOM) condition on the MinIO server.
8. The MinIO server process crashes, resulting in a denial of service for all users.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, rendering the MinIO server unavailable. The attacker can repeatedly trigger the vulnerability, causing prolonged disruption to the service. The vulnerability affects all MinIO deployments using versions RELEASE.2018-08-18T03-49-57Z up to RELEASE.2025-12-03T08-12-39Z. The number of affected installations is unknown. Sectors using MinIO for object storage are vulnerable. If successful, this attack could interrupt services reliant on the object storage.

Recommendation

• Upgrade to MinIO AIStor version RELEASE.2025-12-20T04-58-37Z or later to remediate the vulnerability as documented in the advisory.
• If upgrading is not immediately feasible, disable S3 Select access via IAM policies, specifically denying s3:GetObject actions or SelectObjectContent requests as described in the “Workarounds” section of the advisory.
• Monitor MinIO server resource consumption, particularly memory usage, to detect potential exploitation attempts. Deploy the provided Sigma rule to detect potential DoS attempts.

]]>highadvisorydosminios3selecthttps://feed.craftedsignal.io/briefs/2024-05-minio-metadata-injection/Fri, 27 Mar 2026 22:26:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-minio-metadata-injection/A vulnerability in MinIO allows authenticated users with `s3:PutObject` permission to inject internal server-side encryption metadata into objects via crafted replication headers, leading to permanent data unreadability.A flaw in MinIO’s extractMetadataFromMime() function allows any authenticated user with s3:PutObject permission to inject internal server-side encryption (SSE) metadata into objects. This is achieved by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The MinIO server incorrectly maps these headers to X-Minio-Internal-* encryption metadata without validating if the request is a legitimate replication request. Objects written in this manner contain bogus encryption keys and become permanently unreadable through the S3 API. This vulnerability affects all MinIO releases up to the final release of the minio/minio open-source project, specifically versions introduced after commit 468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 (included in RELEASE.2024-03-30T09-41-56Z). It was resolved in MinIO AIStor RELEASE.2026-03-26T21-24-40Z.

Attack Chain

1. Attacker authenticates to the MinIO server with valid credentials having s3:PutObject permissions.
2. The attacker crafts a malicious PutObject request targeting a specific bucket and object key.
3. The attacker includes X-Minio-Replication-Server-Side-Encryption-* headers in the PutObject request.
4. The attacker omits the X-Minio-Source-Replication-Request header, which would normally indicate a legitimate replication request.
5. The MinIO server’s extractMetadataFromMime() function incorrectly maps the crafted X-Minio-Replication-* headers to X-Minio-Internal-Server-Side-Encryption-* headers.
6. The server writes the object metadata, including the bogus encryption keys, to the object storage.
7. Subsequent GetObject or HeadObject requests for the modified object will fail because the server treats the object as encrypted with non-existent or incorrect keys.
8. The attacker achieves a targeted denial-of-service, rendering the object permanently unreadable via the S3 API.

Impact

This vulnerability enables a targeted denial-of-service attack. An attacker can selectively corrupt individual objects or entire buckets within a MinIO deployment. Successful exploitation results in permanent data loss, as affected objects become unreadable through the S3 API. This can disrupt critical services relying on the object storage and potentially impact a large number of users if entire buckets are targeted.

Recommendation

• Upgrade to MinIO AIStor version RELEASE.2026-03-26T21-24-40Z or later to patch the vulnerability as documented in the release notes.
• Implement a reverse proxy or load balancer rule to drop or reject any request containing X-Minio-Replication-Server-Side-Encryption-* headers that does not also include X-Minio-Source-Replication-Request, mitigating the injection path as described in the Workarounds section.
• Review and restrict IAM policies to limit s3:PutObject grants to trusted principals only, reducing the attack surface as noted in the Workarounds section.

]]>highadvisoryminios3metadata-injectiondenial-of-service