CVE-2026-42600
Published:May 11, 2026
Updated:May 16, 2026
MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.
Affected Packages
https://github.com/minio/minio.git (GITHUB):
Affected version(s) >=RELEASE.2022-07-24T01-54-52Z <RELEASE.2026-04-14T21-32-45ZFix Suggestion:
Update to version RELEASE.2026-04-14T21-32-45Zgithub.com/minio/minio (GO):
Affected version(s) >=RELEASE.2022-07-24T01-54-52Z <RELEASE.2026-04-14T21-32-45ZFix Suggestion:
Update to version RELEASE.2026-04-14T21-32-45ZRelated Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS
Base Score:
0.06