Listen to this Post
The vulnerability exists in MinIO’s handling of STREAMING-UNSIGNED-PAYLOAD-TRAILER requests.
When processing PutObject or PutObjectPart calls, the function newUnsignedV4ChunkedReader receives a boolean signature gate that depends only on whether the Authorization HTTP header is present.
Simultaneously, isPutActionAllowed extracts credentials from either the Authorization header or the X-Amz-Credential query parameter, trusting whichever it finds.
An attacker omits the Authorization header entirely and places a valid access key (e.g., minioadmin) inside X-Amz-Credential in the query string.
Because the Authorization header is missing, the signature gate evaluates to false, so doesSignatureMatch is never invoked.
The request then proceeds using the permissions of the access key supplied in the query parameter, without any secret key or cryptographic signature.
This allows writing arbitrary objects to any bucket for which that access key has WRITE permission.
The attack requires only knowledge of a valid access key and a target bucket name.
Default credentials like minioadmin work out of the box.
The vulnerability was introduced in commit 76913a9fd (“Signed trailers for signature v4”, PR 16484) which added authTypeStreamingUnsignedTrailer support.
First affected release: RELEASE.2023-05-18T00-05-36Z.
All subsequent MinIO open‑source releases up to the final community edition are vulnerable.
Affected handlers: PutObjectHandler (cmd/object-handlers.go) and PutObjectPartHandler (cmd/object-multipart-handlers.go).
The code path is triggered when the header X-Amz-Content-Sha256 equals STREAMING-UNSIGNED-PAYLOAD-TRAILER.
No signature validation occurs for such requests if the Authorization header is absent.
Any deployment that exposes the S3 API is impacted.
Multipart uploads are also vulnerable via PutObjectPartHandler.
The flaw effectively bypasses S3 signature version 4 authentication.
An attacker can write, overwrite, or delete objects depending on the access key’s permissions.
The fix removes the trust of query‑string credentials when the unsigned trailer path is taken.
dailycve form:
Platform: MinIO AIStor
Version: RELEASE.2023-05-18 onward
Vulnerability: Authentication Bypass
Severity: Critical
date: 2026-04-14
Prediction: Patched 2026-04-11
What Undercode Say:
Analytics:
Check if your MinIO version is vulnerable
minio --version | grep RELEASE.2023-05-18
Simulate bypass (requires valid access key)
BUCKET="target-bucket"
KEY="malicious-object"
ACCESS="minioadmin"
ENDPOINT="http://minio.example.com"
curl -X PUT "${ENDPOINT}/${BUCKET}/${KEY}" \
-H "X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER" \
--data-binary "malicious data" \
-G --data-urlencode "X-Amz-Credential=${ACCESS}/us-east-1/s3/aws4_request" \
--data-urlencode "X-Amz-Date=20260414T000000Z" \
--data-urlencode "X-Amz-Algorithm=AWS4-HMAC-SHA256" \
--data-urlencode "X-Amz-SignedHeaders=host"
Verify object was written without secret key
aws --endpoint-url ${ENDPOINT} s3 ls s3://${BUCKET}/${KEY} --no-sign-request
Exploit:
Send a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, no `Authorization` header, and a query string containing X-Amz-Credential=<valid_access_key>/.... The server accepts the object as if signed.
Protection from this CVE
Upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later.
If upgrade impossible, block requests containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at reverse proxy/WAF.
Alternatively, use signed trailer variant `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER`.
Restrict `s3:PutObject` permissions to minimize blast radius.
Impact
Any user with a valid access key (including default minioadmin) can write arbitrary objects to any bucket without the corresponding secret key. Attackers can upload malware, overwrite critical data, or fill storage. No signature or secret required. All MinIO deployments exposing S3 API are affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

