MinIO Authentication Bypass Vulnerability Allowing Unauthenticated Object Writes via Query String Credentials

An authentication bypass vulnerability has been identified in MinIO's object storage system, specifically in the 'STREAMING-UNSIGNED-PAYLOAD-TRAILER' code path. This vulnerability allows any user with a valid access key to write arbitrary objects to any bucket, without needing the secret key or a valid cryptographic signature. The issue affects all MinIO deployments through the last release of the open-source 'minio/minio' project. The vulnerability was introduced in version 'RELEASE.2023-05-18T00-05-36Z' and patched in 'RELEASE.2026-04-11T03-20-12Z'. The vulnerability arises because the 'PutObjectHandler' and 'PutObjectPartHandler' functions call 'newUnsignedV4ChunkedReader' with a signature verification that only checks for the 'Authorization' header. An attacker can exploit this by omitting the 'Authorization' header and using the 'X-Amz-Credential' query parameter instead, bypassing signature verification and gaining unauthorized write access to buckets.

Impact

Exploitation of this vulnerability allows for unauthenticated writes to any bucket, potentially leading to unauthorized data manipulation or storage of malicious objects.

Reproduction

To reproduce this vulnerability, send a 'PUT' request to a MinIO server with the 'X-Amz-Credential' query parameter containing a valid access key. Omit the 'Authorization' header. The request will be processed without signature verification, allowing arbitrary objects to be written to the specified bucket.

Remediation

Users should upgrade to MinIO AIStor 'RELEASE.2026-04-11T03-20-12Z' or later. If an immediate upgrade is not possible, block unsigned-trailer requests at the load balancer or reverse proxy level, and restrict WRITE permissions to trusted principals.