Vulnerability DatabaseCVE-2026-40344
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-40344
Published:April 22, 2026
Updated:May 18, 2026
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler ("PutObjectExtractHandler") allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default "minioadmin", or any key with WRITE permission on a bucket) and a target bucket name. When "authTypeStreamingUnsignedTrailer" support was added, the new auth type was handled in "PutObjectHandler" and "PutObjectPartHandler" but was never added to "PutObjectExtractHandler". The snowball auto-extract handler's "switch rAuthType" block has no case for "authTypeStreamingUnsignedTrailer", so execution falls through with zero signature verification. The "isPutActionAllowed" call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER", "X-Amz-Meta-Snowball-Auto-Extract: true", and an "Authorization" header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Affected Packages
https://github.com/minio/minio.git (GITHUB):
Affected version(s) >=RELEASE.2023-05-18T00-05-36Z <RELEASE.2026-04-11T03-20-12Z
Fix Suggestion:
Update to version RELEASE.2026-04-11T03-20-12Z
github.com/minio/minio (GO):
Affected version(s) >=RELEASE.2023-05-18T00-05-36Z <RELEASE.2026-04-11T03-20-12Z
Fix Suggestion:
Update to version RELEASE.2026-04-11T03-20-12Z
Related Resources (5)
https://nvd.nist.gov/vuln/detail/CVE-2026-40344
https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091
https://github.com/minio/minio/pull/16484
https://github.com/minio/minio
https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Missing Authentication for Critical Function
CWE-306
Improper Authentication
CWE-287
EPSS
Base Score:
0.15