Auth bypass in Minio

CVE-2026-40344

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandle…

Vulnerability class: Broken Authentication

EPSS: 0.002 (36.5th percentile) — read the EPSS interpretation.

Affected products

Minio — versions >= RELEASE.2023-05-18T00-05-36Z, < RELEASE.2026-04-11T03-20-12Z

Weakness classification (CWE)

References

https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237 (x_refsource_CONFIRM)
https://github.com/minio/minio/pull/16484 (x_refsource_MISC)
https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091 (x_refsource_MISC)