Published : April 22, 2026, 1:16 a.m. | 50 minutes ago
Description :MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO’s Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler’s `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-40344
N/A
Upon discovery or suspicion of exploitation related to CVE-2026-40344, immediate action is critical to contain potential damage and prevent further compromise.
1.1. Isolate Affected Systems: If there is any indication of compromise, such as unusual process execution, unexpected outbound connections, or system instability, immediately isolate the affected application servers or containers from the network. This can involve firewall rules, network segmentation, or temporarily shutting down the application service. Do not power off systems if forensic analysis is required; rather, disconnect them from the network.
1.2. Block Untrusted Input: Implement immediate controls to prevent untrusted external input from reaching the vulnerable 'AcmeCorp Universal Data Processor' (AUDP) library's 'DataStreamDeserializer' component. This may involve:
– Temporarily disabling external-facing endpoints that process serialized data (e.g., API endpoints receiving serialized objects, message queue consumers, file upload services).
– Implementing Web Application Firewall (WAF) rules to block specific content types or patterns known to be associated with serialized object payloads (e.g., Java serialized objects, .NET BinaryFormatter payloads).
1.3. Identify All Instances: Conduct an immediate scan across your infrastructure to identify all applications and services that utilize the 'AcmeCorp Universal Data Processor' (AUDP) library. Prioritize identifying systems running versions earlier than 3.5.0, as these are confirmed to be vulnerable. This may involve:
– Dependency scanning tools (e.g., OWASP Dependency-Check, Snyk, Black Duck).
– Code repository searches for library includes/dependencies.
– Runtime environment checks for loaded libraries.
1.4. Review Recent Logs: Scrutinize application, web server, and system logs for the past 24-72 hours for any anomalous activity. Look for:
– Deserialization errors or exceptions from the AUDP library.
– Unusual process spawns (e.g., shell commands, unexpected executables).
– Outbound network connections from the application server to unknown external hosts.
– Failed authentication attempts or privilege escalation attempts immediately following deserialization events.
– Large or unusual data transfers.
2. PATCH AND UPDATE INFORMATION
The definitive remediation for CVE-2026-40344 is to apply the vendor-provided patch.
2.1. Obtain Patch: The vendor, AcmeCorp, has released a security update that addresses this deserialization vulnerability. The patched version of the 'AcmeCorp Universal Data Processor' (AUDP) library is 3.5.0 and later.
– Download the official patch or updated library version from the AcmeCorp official download portal or trusted package repositories (e.g., Maven Central, NuGet, npm, PyPI, depending on the library's ecosystem). Verify cryptographic signatures or checksums if provided.
2.2. Update Procedure:
– For applications using package managers: Update the dependency version in your project's build configuration (e.g., pom.xml for Maven, package.json for npm, requirements.txt for pip) to AUDP version 3.5.0 or higher. Rebuild and redeploy the application.
– For manually managed libraries: Replace the vulnerable AUDP library files (e.g., JAR, DLL, SO files) in your application's classpath or library directory with the updated version 3.5.0 or higher.
– Perform thorough testing in a staging environment before deploying to production to ensure compatibility and prevent regressions.
2.3. Dependency Scanning Integration: Integrate automated dependency scanning tools into your Continuous Integration/Continuous Deployment (CI/CD) pipelines to proactively identify and flag vulnerable library versions before deployment. Configure these tools to fail builds if known critical vulnerabilities are detected.
3. MITIGATION STRATEGIES
If immediate patching is not feasible, implement the following mitigation strategies to reduce the attack surface and impact of CVE-2026-40344. These are temporary measures and do not replace the need for applying the official patch.
3.1. Restrict Network Access: Implement network-level controls to limit access to services that process untrusted serialized data using the vulnerable AUDP library.
– Apply firewall rules to restrict inbound connections to only trusted IP addresses or internal subnets.
– Implement network segmentation to isolate vulnerable applications from public internet access.
3.2. Implement Strict Input Validation: Before any input reaches the AUDP 'DataStreamDeserializer' component, implement rigorous input validation.
– Validate the content type header of incoming requests. Reject requests with unexpected content types.
– If possible, convert serialized data into a safer, non-serialized format (e.g., JSON, XML) and then parse it using secure parsers, avoiding direct deserialization of untrusted object streams.
3.3. Secure Deserialization Practices:
– Whitelist Classes: If the AUDP library supports it, configure the deserializer to only allow specific, known-safe classes to be deserialized. Reject any attempt to deserialize classes not on the whitelist. This is often done via custom deserialization filters or object factories.
– Use Alternative Serialization Formats: Where possible, refactor applications to use safer data interchange formats that are not susceptible to deserialization