MinIO Unauthenticated Object Write via Snowball Auto-Extract (CVE-2026-40344)

Vulnerability Summary: Snowball Auto-Extract Unauthorized Object Write Vulnerability Overview Title: Unauthenticated Object Write via Missing Signature Verification in Snowball Auto-Extract CVE ID: CVE-2026-40344 Severity: High (8.8 / 10) Description: The Snowball auto-extract handler in MinIO has an authentication bypass vulnerability. An attacker can use a valid access key (without knowing the secret key or providing a valid cryptographic signature) to write arbitrary objects to any bucket. Impact Scope Affected Component: function in . Affected Versions: All MinIO versions up to and including release . Vulnerability Introduction: Introduced in commit (PR #16484), which added support for . Attack Vector: The attacker sends a PUT request containing the headers and , along with an Authorization header that includes a valid access key but a completely forged signature. The request is accepted, and the tar payload is extracted into the bucket. Remediation Fixed Version: MinIO AISTOR or later. Binary Downloads: Linux amd64: Linux arm64: macOS amd64: macOS arm64: Windows amd64: FIPS Binaries: Linux amd64: Linux arm64: Package Downloads: DEB amd64: DEB arm64: RPM amd64: RPM arm64: Container Images: Homebrew (macOS): Temporary Mitigations: Block unsigned requests containing at the load balancer level. Clients should use (the signed variant). Restrict permissions to trusted principals. While this does not eliminate the vulnerability, it reduces the attack surface since only users with permission can exploit their access keys.

Goal Reached Thanks to every supporter — we hit 100%!

MinIO Unauthenticated Object Write via Snowball Auto-Extract (CVE-2026-40344)

More from this source