Ddos 
A significant security vulnerability has been identified in MinIO, the high-performance, S3-compatible object storage solution widely used for AI/ML and data-intensive workloads. The flaw, categorized with a CVSS score of 8.8, allows for unauthenticated object writes, potentially exposing deployments to unauthorized data injections.
The heart of the vulnerability lies in the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. In a standard secure interaction, MinIO requires a valid cryptographic signature to verify the identity and permissions of the user attempting to write data. However, researchers discovered a “signature verification gate” that is triggered solely by the presence of an Authorization header in the HTTP request.
By intentionally omitting the Authorization header and instead supplying credentials through the X-Amz-Credential query parameter, an attacker can bypass the signature check entirely. Because the system trusts whichever credential source it finds first, the request proceeds with the full permissions of the impersonated access key without ever calling the doesSignatureMatch function.
The attack is remarkably simple to execute: it requires only a known valid access key—such as the well-known default minioadmin—and the name of a target bucket. Once these are known, an attacker can write arbitrary objects to any bucket for which that key has permissions.
The vulnerability affects key components of the MinIO architecture, specifically the PutObjectHandler used for standard uploads and the PutObjectPartHandler used for multipart uploads. The flaw has been present in the open-source project since May 2023, affecting all releases through the final open-source version.
Security teams are strongly encouraged to take immediate action to secure their object storage environments.
- Upgrade Immediately: The vulnerability is resolved in MinIO AIStor RELEASE.2026-04-11T03-20-12Z. All users of the open-source project should transition to this version or later.
- Load Balancer Filtering: If an immediate upgrade is not possible, administrators should configure their reverse proxy or Web Application Firewall (WAF) to reject any requests containing the header X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER.
- Permission Hardening: Restricting s3:PutObject grants to only the most trusted principals can reduce the overall attack surface. However, administrators should note that this does not eliminate the risk, as any user with legitimate WRITE permissions can still exploit the flaw using their own access key.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
