CVE-2026-41145

Impact

What kind of vulnerability is it? Who is impacted?

An authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path

allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing

the secret key or providing a valid cryptographic signature.

Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default

minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.

PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature

verification gate based solely on the presence of the Authorization header:

newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")

Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the

X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the

Authorization header and supplies credentials exclusively via the query string. The signature gate

evaluates to false, doesSignatureMatch is never called, and the request proceeds with the

permissions of the impersonated access key.

This affects PutObjectHandler (standard and tables/warehouse bucket paths) and

PutObjectPartHandler (multipart uploads).

Affected components: cmd/object-handlers.go (PutObjectHandler),

cmd/object-multipart-handlers.go (PutObjectPartHandler).

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit

76913a9fd

("Signed trailers for signature v4", PR #16484),

which added authTypeStreamingUnsignedTrailer support. The first affected release is

RELEASE.2023-05-18T00-05-36Z.

Patches

Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z

Binary Downloads

| Platform | Architecture | Download                                                                    |

| -------- | ------------ | --------------------------------------------------------------------------- |

| Linux    | amd64        | minio           |

| Linux    | arm64        | minio           |

| macOS    | arm64        | minio          |

| macOS    | amd64        | minio          |

| Windows  | amd64        | minio.exe |

FIPS Binaries

| Platform | Architecture | Download                                                                    |

| -------- | ------------ | --------------------------------------------------------------------------- |

| Linux    | amd64        | minio.fips |

| Linux    | arm64        | minio.fips |

Package Downloads

| Format | Architecture | Download                                                                                                                            |

| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |

| DEB    | amd64        | minio20260411032012.0.0amd64.deb         |

| DEB    | arm64        | minio20260411032012.0.0arm64.deb         |

| RPM    | amd64        | minio-20260411032012.0.0-1.x86_64.rpm   |

| RPM    | arm64        | minio-20260411032012.0.0-1.aarch64.rpm |

Container Images

## Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
## FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

• Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later.

If upgrading is not immediately possible:

• Block unsigned-trailer requests at the load balancer. Reject any request containing

  X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer.

  Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead.

• Restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this

  reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE

  permission can exploit it with only their access key.

Credits

• Finder: Arvin Shivram of Brutecat Security (@ddd)