{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/object-storage/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["minio","authentication-bypass","object-storage"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMinIO is susceptible to two authentication bypass vulnerabilities affecting all deployments up to AIStor RELEASE.2026-04-11T03-20-12Z. The vulnerability lies within the \u003ccode\u003eSTREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e code path. An attacker possessing a valid access key (including the default \u003ccode\u003eminioadmin\u003c/code\u003e or any key with WRITE permissions) can exploit these flaws to write arbitrary objects to any bucket. This bypass eliminates the need for the secret key or a valid cryptographic signature. One vulnerability involves missing signature verification in \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e, while the other bypasses signature verification using query-string credentials. These issues stem from the introduction of \u003ccode\u003eauthTypeStreamingUnsignedTrailer\u003c/code\u003e support in commit 76913a9fd, specifically impacting releases from RELEASE.2023-05-18T00-05-36Z onwards.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid MinIO access key, either through default credentials or compromised accounts.\u003c/li\u003e\n\u003cli\u003eFor vulnerability 1, the attacker crafts a PUT request with \u003ccode\u003eX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e, \u003ccode\u003eX-Amz-Meta-Snowball-Auto-Extract: true\u003c/code\u003e, and an \u003ccode\u003eAuthorization\u003c/code\u003e header containing the valid access key but a fabricated signature.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the MinIO server\u0026rsquo;s \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the missing signature verification in the \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e, the request proceeds without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe server extracts the access key and checks IAM permissions via \u003ccode\u003eisPutActionAllowed\u003c/code\u003e, but the fabricated signature is not validated.\u003c/li\u003e\n\u003cli\u003eThe server accepts the request, and the attacker-controlled payload is extracted into the target bucket.\u003c/li\u003e\n\u003cli\u003eFor vulnerability 2, the attacker crafts a PUT or PUT Part request omitting the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker includes authentication credentials (access key) exclusively via the \u003ccode\u003eX-Amz-Credential\u003c/code\u003e query parameter. Since the \u003ccode\u003eAuthorization\u003c/code\u003e header is missing, signature verification is skipped, and the request proceeds with the permissions of the impersonated access key, allowing the attacker to write arbitrary objects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows unauthorized users to modify objects within MinIO storage buckets, potentially leading to data breaches, service disruptions, or the injection of malicious content. Any MinIO deployment is affected, creating a widespread risk for organizations relying on MinIO for their storage infrastructure. The CVSS v4.0 score of 8.8 (High) highlights the severity and potential impact of these vulnerabilities. The number of victims depends on the adoption rate of vulnerable MinIO versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version \u003ccode\u003eRELEASE.2026-04-11T03-20-12Z\u003c/code\u003e or later, as indicated in the \u003ca href=\"https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/\"\u003eMinIO AIStor documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a block at the load balancer or reverse proxy to reject any requests containing \u003ccode\u003eX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e, as mentioned in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MinIO Unsigned Payload Trailer\u003c/code\u003e to identify exploitation attempts based on the presence of the vulnerable header.\u003c/li\u003e\n\u003cli\u003eReview and restrict WRITE permissions (\u003ccode\u003es3:PutObject\u003c/code\u003e) to trusted principals to reduce the attack surface as described in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T00:05:52Z","date_published":"2026-04-14T00:05:52Z","id":"/briefs/2026-04-minio-auth-bypass/","summary":"Two authentication bypass vulnerabilities in MinIO allow writing arbitrary objects to any bucket with only a valid access key, without the secret key or valid signature, impacting all MinIO deployments.","title":"MinIO Unauthenticated Object Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-minio-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Object-Storage","version":"https://jsonfeed.org/version/1.1"}