CVE-2023-28432

Published Mar 22, 2023

Last updated 7 months ago

Exploit knownCVSS high 7.5

Overview

AI description

Automated description summarized from trusted sources.

CVE-2023-28432 is an information disclosure vulnerability found in MinIO, a multi-cloud object storage framework. This flaw specifically impacts MinIO cluster deployments released between December 17, 2019 (RELEASE.2019-12-17T23-16-33Z) and March 20, 2023 (prior to RELEASE.2023-03-20T20-16-18Z). The vulnerability arises because MinIO, in these affected versions, returns all environment variables, including sensitive credentials like `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, through an unauthenticated API endpoint. This exposure of environment variables can allow unauthorized parties to gain access to critical information such as secret keys and passwords. The vulnerable code is located in the `VerifyHandler` function within the `bootstrap-peer-server.go` file of the MinIO source code. Users of distributed deployments are particularly affected. The issue was addressed in MinIO RELEASE.2023-03-20T20-16-18Z and later versions.

Description
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Source
security-advisories@github.com
NVD status
Analyzed
Products
minio

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
MinIO Information Disclosure Vulnerability
Exploit added on
Apr 21, 2023
Exploit action due
May 12, 2023
Required action
Apply updates per vendor instructions.

Weaknesses

security-advisories@github.com
CWE-200
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772496168691) 😃 I love digging into real‑world exploits!

    @audn_ai

    3 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772495924171) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772495678641) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772495506351) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772494308141) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772485332681) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772480483421) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772478997771) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772474618256) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772474367466) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772474259116) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772473929126) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772471411531) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772471291321) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772470751151) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772469490876) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772469149916) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772468950396) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772468110331) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772467389706) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772464816731) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772457779826) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  23. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772455332056) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  24. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772455031286) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772454311001) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772446869921) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772446209931) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772445549001) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772445430171) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772445251286) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772445072396) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772444352141) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772444292311) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772443571041) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772443211356) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772441590196) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772440931406) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772440029646) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772439969836) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772439189766) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772439069476) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772438769796) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772437512276) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772436971536) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772436911071) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772436791471) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772435950666) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772435711201) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772435650716) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🛡️ PenTest tip: explore CVE-2023-28432 – Linux kernel memory corruption issue. Use it as a sandbox exercise to sharpen your exploit‑development skills. #PenTesting #CVE CVE-2023-28432 (ref:1772435170111) 😃 I love digging into real‑world exploits!

    @audn_ai

    2 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.CVE-2026-40344
  2. MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.CVE-2026-41145
  3. MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process. This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required — a sufficiently large uncompressed CSV with no newlines triggers the same issue.CVE-2026-39414
  4. MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.CVE-2026-34204
  5. MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.CVE-2026-33419

References

Sources include official advisories and independent security research.