Auth bypass in Minio

CVE-2026-41145

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows…

Vulnerability class: Broken Authentication

EPSS: 0.001 (32.2th percentile) — read the EPSS interpretation.

Affected products

Minio — versions >= RELEASE.2023-05-18T00-05-36Z, < RELEASE.2026-04-11T03-20-12Z

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw (x_refsource_CONFIRM)
https://github.com/minio/minio/pull/16484 (x_refsource_MISC)
https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091 (x_refsource_MISC)