MinIO Path Traversal Vulnerability in ReadMultiple Storage-REST Endpoint

A path traversal vulnerability has been identified in MinIO's ReadMultiple internode storage-REST endpoint, affecting versions from RELEASE.2022-07-24T01-54-52Z prior to RELEASE.2026-04-14T21-32-45Z. This vulnerability allows a caller with the cluster root JWT to read files from outside the designated drive roots, limited only by the MinIO process UID. The issue arises because the ReadMultiple handler forwards request data to the storage layer without proper validation, enabling the exploitation of path traversal sequences to access unauthorized files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files outside the configured drive roots, with potential exposure of sensitive data such as TLS private keys, KMS/KES key material, systemd credentials, and other tenant data sharing the same UID on the host. In containerized deployments running as UID 0, the vulnerability could escalate to arbitrary host-filesystem disclosure, accessing files like /etc/shadow, /root/**, Kubernetes service-account tokens, and cloud-init metadata caches.

Reproduction

To reproduce this vulnerability, send a POST request to the ReadMultiple endpoint with a msgpack-encoded body that includes ../ sequences in the Bucket field. The server will process the request, resolve the path traversal, and return the contents of the accessed files in the response stream.

Remediation

Users should upgrade to MinIO AIStor RELEASE.2026-04-14T21-32-45Z or later. If an immediate upgrade is not possible, rotate the root credential, restrict who holds it, and do not run the MinIO container as UID 0. Additionally, restrict the internode storage-REST port at the network layer.