Github.Com Minio Minio vulnerabilities

CVE-2026-39414 [HIGH] CWE-770 MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing ### Impact _What kind of vulnerability is it? Who is impacted?_ MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's `nextSplit()` function calls `bufio.Reader.ReadBytes('\n')` with no size limit, buffering the en

CVE-2026-34204 [HIGH] CWE-287 MinIO is Vulnerable to SSE Metadata Injection via Replication Headers MinIO is Vulnerable to SSE Metadata Injection via Replication Headers ## Impact _What kind of vulnerability is it? Who is impacted?_ A flaw in `extractMetadataFromMime()` allows any authenticated user with `s3:PutObject` permission to inject internal server-side encryption metadata into objects by sending crafted `X-Minio-Replication-*` headers on a normal PutObject request. The server uncondit

CVE-2026-33419 [CRITICAL] CWE-204 MinIO LDAP login brute-force via user enumeration and missing rate limit MinIO LDAP login brute-force via user enumeration and missing rate limit ### Impact _What kind of vulnerability is it? Who is impacted?_ MinIO AIStor's STS (Security Token Service) `AssumeRoleWithLDAPIdentity` endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate

CVE-2026-33322 [HIGH] CWE-287 MinIO has JWT Algorithm Confusion in OIDC Authentication MinIO has JWT Algorithm Confusion in OIDC Authentication ### Impact _What kind of vulnerability is it? Who is impacted?_ A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC `ClientSecret` to forge arbitrary identity tokens and obtain S3 credentials with any policy, including `consoleAdmin`. An attacker with knowledge of the OIDC `ClientSecre

CVE-2025-62506 [HIGH] CWE-863 MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS ### Summary A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service a

CVE-2025-31489 [HIGH] CWE-347 MinIO performs incomplete signature validation for unsigned-trailer uploads MinIO performs incomplete signature validation for unsigned-trailer uploads ### Impact This is a high priority vulnerability and users must upgrade ASAP. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket, Prior knowledge of access

CVE-2025-27414 [MEDIUM] CWE-287 MinIO allows an SFTP authentication bypass due to improperly trusted SSH key MinIO allows an SFTP authentication bypass due to improperly trusted SSH key ### Summary _A bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access._ ### Details On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SF

CVE-2024-55949 [HIGH] CWE-269 MinIO vulnerable to privilege escalation in IAM import API MinIO vulnerable to privilege escalation in IAM import API ### Impact Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f ### Patches ``` commit f246c9053f9603e610d98439799bdd2a6b293427 Author: Aditya Manthramurthy Date: Wed Dec 11 18:09:40 2024 -0800 fix: Privilege escalation in IAM import API (#20756) This API had missing permission

CVE-2024-36107 [MEDIUM] CWE-200 MinIO information disclosure vulnerability MinIO information disclosure vulnerability ### Impact [If-Modified-Since](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since) [If-Unmodified-Since](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since) Headers when used with anonymous requests by sending a random object name requests you can figure out if the object exists or not on the server on a specific bucket and al

CVE-2024-24747 [HIGH] CWE-269 Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation ### Summary When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply

CVE-2023-28433 [HIGH] CWE-668 Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation ### Impact All users on Windows are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific

CVE-2023-28434 [HIGH] CWE-269 Privilege Escalation on Linux/MacOS Privilege Escalation on Linux/MacOS ### Impact An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. ### Patches ``` commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy Date: Sun M