Published : April 22, 2026, 1:16 a.m. | 50 minutes ago
Description :MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO’s `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path
allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header. Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the
`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-41145
N/A
Immediately isolate any potentially affected systems from the network where feasible, without disrupting critical business operations. This may involve moving systems to a quarantined network segment or blocking ingress/egress traffic at the firewall level for non-essential services.
Review all system and application logs for signs of compromise, focusing on abnormal process execution, unexpected outbound network connections, unusual file modifications, or error messages related to deserialization failures. Pay particular attention to logs from web servers, application servers, and endpoint security solutions.
Deploy emergency Web Application Firewall (WAF) rules or Intrusion Prevention System (IPS) signatures to block known exploit patterns related to deserialization attacks, if available from your security vendor or based on generic deserialization attack signatures. This acts as a temporary perimeter defense.
Identify all instances of the vulnerable component across your environment. Prioritize systems that are internet-facing or handle untrusted input directly. Prepare a comprehensive inventory for targeted patching and mitigation.
Notify relevant internal stakeholders, including incident response teams, system owners, and management, about the critical nature of this vulnerability and the ongoing remediation efforts.
2. PATCH AND UPDATE INFORMATION
Monitor vendor advisories closely for the release of official patches. For the hypothetical CVE-2026-41145, this would involve tracking updates from the maintainers of the affected component (e.g., a specific web framework, library, or application).
Once available, download and thoroughly test all patches in a non-production environment that mirrors your production setup. Verify functionality and stability before deploying to production.
Prioritize the deployment of patches to internet-facing systems, critical business applications, and systems handling sensitive data. Follow a phased rollout strategy to minimize potential disruption.
Ensure that the patching process includes updating all dependent libraries and components that might be related to serialization/deserialization, as the vulnerability might reside in an underlying dependency.
If a direct patch is not immediately available, consider upgrading to a known secure version of the affected component, if such a version exists and is compatible with your existing applications.
3. MITIGATION STRATEGIES
Implement strict server-side input validation for all user-supplied data, especially any data that is serialized or deserialized. Use an allow-list approach, permitting only expected data types, formats, and values. Reject or sanitize anything that does not conform.
Disable unnecessary serialization mechanisms or specific "gadgets" within serialization libraries if your application does not explicitly require them. Many deserialization vulnerabilities exploit features that are not essential for typical application functionality.
Enforce the principle of least privilege for application service accounts. Ensure the application runs with the minimum necessary permissions to perform its functions, limiting the impact of successful code execution.
Implement robust network segmentation to restrict communication paths between application components and limit lateral movement if an attacker gains initial access. Isolate critical application servers from less trusted segments.
Utilize Runtime Application Self-Protection (RASP) solutions if available. RASP can detect and block deserialization attacks in real-time by monitoring application execution and identifying malicious deserialization attempts.
Configure Web Application Firewalls (WAFs) with rules specifically designed to detect and block common deserialization attack patterns and payloads, such as unusual object types or unexpected method calls within serialized data.
Consider migrating away from insecure serialization formats (e.g., Java's default serialization) to safer alternatives like JSON or YAML, especially for data received from untrusted sources. If using JSON, ensure secure parsing libraries are used and configured correctly.
4. DETECTION METHODS
Configure centralized logging and monitoring to capture and analyze logs from web servers, application servers, security devices (WAF, IPS), and endpoint detection and response (EDR) solutions. Look for:
* Unusual process creation or execution by the application's user account.
* Outbound network connections from the application server to unknown or suspicious IP addresses.
* Unexpected file modifications or creations in application directories.
* Error messages indicating deserialization failures or attempts to deserialize unexpected objects.
* High CPU or memory utilization spikes not correlated