CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5944 vulnerabilities reference this CWE, most recent first.
GHSA-99HH-R3P8-CJXX
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-24 00:00Browsing the admin.html page allows the user to reset the admin password. Also appears in the JS code for the password.
{
"affected": [],
"aliases": [
"CVE-2022-30624"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T13:15:00Z",
"severity": "HIGH"
},
"details": "Browsing the admin.html page allows the user to reset the admin password. Also appears in the JS code for the password.",
"id": "GHSA-99hh-r3p8-cjxx",
"modified": "2022-07-24T00:00:36Z",
"published": "2022-07-19T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30624"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-99JG-2FVV-2JFQ
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.
{
"affected": [],
"aliases": [
"CVE-2021-24148"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-18T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.",
"id": "GHSA-99jg-2fvv-2jfq",
"modified": "2022-05-24T17:44:51Z",
"published": "2022-05-24T17:44:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24148"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/bf5ddc43-974d-41fa-8276-c1a27d3cc882"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-99JJ-QH79-5JR9
Vulnerability from github – Published: 2022-05-14 03:22 – Updated: 2022-05-14 03:22FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ignoring the parent.location='login.html' JavaScript code in the response to an unauthenticated request.
{
"affected": [],
"aliases": [
"CVE-2018-9249"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-04T15:29:00Z",
"severity": "CRITICAL"
},
"details": "FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ignoring the parent.location=\u0027login.html\u0027 JavaScript code in the response to an unauthenticated request.",
"id": "GHSA-99jj-qh79-5jr9",
"modified": "2022-05-14T03:22:28Z",
"published": "2022-05-14T03:22:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9249"
},
{
"type": "WEB",
"url": "https://gist.github.com/pak0s/cd7ac9c2ee659138816f92693d2df602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99P8-9P2C-49J4
Vulnerability from github – Published: 2022-01-21 23:20 – Updated: 2024-10-08 12:37Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.
- Vulnerability ID: OTF-009
- Vulnerability type: Improper Access Control
- Threat level: Low
Description:
Authenticated users (or unauthenticated in public mode) can send messages without being visible in the list of chat participants.
Technical description:
Prerequisites:
- Existing chatroom
- Access to the chatroom (Public or known Private Key)
- Either a modified frontend client or manual requests from burp/curl
If a user opens the chatroom without emitting the join message he will not be present in session.users[x] list. Therefore there is no listing in the frontend and no chat participant knows another party joined the chat. It is still possible to send messages in the chatroom.
If a user decides to abuse OTF-003 (page 22) he can impersonate messages from existing users; others would not be able to distinguish original and faked messages. This is also a prerequisite for OTF-004 (page 19).
Impact:
An adversary with access to the chat environment can send messages to the chat without being visible in the list of chat participants.
Recommendation:
- Allow chat access only after emission of the join event.
- Implement proper session handling.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "onionshare-cli"
},
"ranges": [
{
"events": [
{
"introduced": "2.3"
},
{
"fixed": "2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21695"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-19T19:40:50Z",
"nvd_published_at": "2022-01-18T22:15:00Z",
"severity": "MODERATE"
},
"details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test.\n\n- Vulnerability ID: OTF-009\n- Vulnerability type: Improper Access Control\n- Threat level: Low\n\n## Description:\n\nAuthenticated users (or unauthenticated in public mode) can send messages without being visible in the list of chat participants.\n\n## Technical description:\n\nPrerequisites:\n\n- Existing chatroom\n- Access to the chatroom (Public or known Private Key)\n- Either a modified frontend client or manual requests from burp/curl\n\nIf a user opens the chatroom without emitting the join message he will not be present in session.users[x] list. Therefore there is no listing in the frontend and no chat participant knows another party joined the chat. It is still possible to send messages in the chatroom.\n\nIf a user decides to abuse OTF-003 (page 22) he can impersonate messages from existing users; others would not be able to distinguish original and faked messages. This is also a prerequisite for OTF-004 (page 19).\n\n## Impact:\n\nAn adversary with access to the chat environment can send messages to the chat without being visible in the list of chat participants.\n\n## Recommendation:\n\n- Allow chat access only after emission of the join event.\n- Implement proper session handling.",
"id": "GHSA-99p8-9p2c-49j4",
"modified": "2024-10-08T12:37:35Z",
"published": "2022-01-21T23:20:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21695"
},
{
"type": "PACKAGE",
"url": "https://github.com/onionshare/onionshare"
},
{
"type": "WEB",
"url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-46.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Access Control in Onionshare"
}
GHSA-99V3-9X35-C5VF
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2022-07-07 22:34Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ws.security:wss4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.wss4j:wss4j-ws-security-dom"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3623"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T22:34:04Z",
"nvd_published_at": "2014-10-30T14:55:00Z",
"severity": "MODERATE"
},
"details": "Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.",
"id": "GHSA-99v3-9x35-c5vf",
"modified": "2022-07-07T22:34:04Z",
"published": "2022-05-13T01:09:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3623"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97754"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/WSS-511"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0236.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q4/437"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Authentication in Apache WSS4J"
}
GHSA-99XV-4FXW-WM5H
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:45A vulnerability in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper authentication request handling. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an unprivileged attacker to access and execute arbitrary actions through certain APIs.
{
"affected": [],
"aliases": [
"CVE-2019-1938"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-21T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper authentication request handling. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an unprivileged attacker to access and execute arbitrary actions through certain APIs.",
"id": "GHSA-99xv-4fxw-wm5h",
"modified": "2024-04-04T01:45:05Z",
"published": "2022-05-24T16:54:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1938"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucsd-authbypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9C4Q-HQ6P-C237
Vulnerability from github – Published: 2026-04-14 00:04 – Updated: 2026-05-05 15:43Impact
Two authentication bypass vulnerabilities in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path
allow any user who knows a valid access key to write arbitrary objects to any bucket without knowing
the secret key or providing a valid cryptographic signature.
Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default
minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.
There are two vulnerabilities:
- Missing Signature Verification in PutObjectExtractHandler / Snowball (CWE-306)
- Signature Verification Bypass via Query-String Credentials (CWE-287)
Vulnerability 1 — Missing signature verification in PutObjectExtractHandler (Snowball)
When authTypeStreamingUnsignedTrailer support was added (commit 76913a9fd, PR #16484), the new auth
type was handled in PutObjectHandler and PutObjectPartHandler but was never added to
PutObjectExtractHandler. The snowball auto-extract handler's switch rAuthType block has no case for
authTypeStreamingUnsignedTrailer, so execution falls through with zero signature verification. The
isPutActionAllowed call before the switch extracts the access key and checks IAM permissions, but
does not verify the cryptographic signature.
An attacker sends a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER,
X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing a valid access key
with a completely fabricated signature. The request is accepted and the tar payload is extracted into
the bucket.
Affected component: cmd/object-handlers.go, function PutObjectExtractHandler.
Vulnerability 2 — Signature verification bypass via query-string credentials
PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature
verification gate based solely on the presence of the Authorization header:
newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")
Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the
X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the
Authorization header and supplies credentials exclusively via the query string. The signature gate
evaluates to false, doesSignatureMatch is never called, and the request proceeds with the
permissions of the impersonated access key.
Affected components: cmd/object-handlers.go (PutObjectHandler),
cmd/object-multipart-handlers.go (PutObjectPartHandler).
CVSS v4.0 Score: 8.8 (High)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CWE: CWE-306 (Missing Authentication for Critical Function), CWE-287 (Improper Authentication)
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
Both vulnerabilities were introduced in commit
76913a9fd
("Signed trailers for signature v4", PR #16484),
which added authTypeStreamingUnsignedTrailer support. The first affected release is
RELEASE.2023-05-18T00-05-36Z.
Patches
Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260411032012.0.0_amd64.deb |
| DEB | arm64 | minio_20260411032012.0.0_arm64.deb |
| RPM | amd64 | minio-20260411032012.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260411032012.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
-
Block unsigned-trailer requests at the load balancer. Reject any request containing
X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILERat the reverse proxy or WAF layer. Clients can useSTREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER(the signed variant) instead. -
Restrict WRITE permissions. Limit
s3:PutObjectgrants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Credits
- Finder: Arvin Shivram of Brutecat Security (@ddd)
References
- Introducing commit:
76913a9fd(PR #16484) - MinIO AIStor
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/minio/minio"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20230506025312-76913a9fd5c6"
},
{
"last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40344"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T00:04:45Z",
"nvd_published_at": "2026-04-22T01:16:05Z",
"severity": "HIGH"
},
"details": "### Impact\n\nTwo authentication bypass vulnerabilities in MinIO\u0027s `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallow any user who knows a valid access key to write arbitrary objects to any bucket without knowing\nthe secret key or providing a valid cryptographic signature.\n\nAny MinIO deployment is impacted. The attack requires only a valid access key (the well-known default\n`minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name.\n\nThere are two vulnerabilities:\n\n1. Missing Signature Verification in PutObjectExtractHandler / Snowball (CWE-306)\n2. Signature Verification Bypass via Query-String Credentials (CWE-287)\n\n**Vulnerability 1 \u2014 Missing signature verification in PutObjectExtractHandler (Snowball)**\n\nWhen `authTypeStreamingUnsignedTrailer` support was added (commit 76913a9fd, PR #16484), the new auth\ntype was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to\n`PutObjectExtractHandler`. The snowball auto-extract handler\u0027s `switch rAuthType` block has no case for\n`authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The\n`isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but\ndoes not verify the cryptographic signature.\n\nAn attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`,\n`X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key\nwith a completely fabricated signature. The request is accepted and the tar payload is extracted into\nthe bucket.\n\n**Affected component:** `cmd/object-handlers.go`, function `PutObjectExtractHandler`.\n\n**Vulnerability 2 \u2014 Signature verification bypass via query-string credentials**\n\n`PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature\nverification gate based solely on the presence of the `Authorization` header:\n\n```go\nnewUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != \"\")\n```\n\nMeanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the\n`Authorization` header and supplies credentials exclusively via the query string. The signature gate\nevaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the\npermissions of the impersonated access key.\n\n**Affected components:** `cmd/object-handlers.go` (`PutObjectHandler`),\n`cmd/object-multipart-handlers.go` (`PutObjectPartHandler`).\n\n**CVSS v4.0 Score:** 8.8 (High)\n\n**Vector:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N`\n\n**CWE:** CWE-306 (Missing Authentication for Critical Function), CWE-287 (Improper Authentication)\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nBoth vulnerabilities were introduced in commit\n[`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091)\n(\"Signed trailers for signature v4\", [PR #16484](https://github.com/minio/minio/pull/16484)),\nwhich added `authTypeStreamingUnsignedTrailer` support. The first affected release is\n`RELEASE.2023-05-18T00-05-36Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-04-11T03-20-12Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB | amd64 | [minio_20260411032012.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260411032012.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260411032012.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260411032012.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260411032012.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260411032012.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260411032012.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Block unsigned-trailer requests at the load balancer.** Reject any request containing\n `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer.\n Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead.\n\n- **Restrict WRITE permissions.** Limit `s3:PutObject` grants to trusted principals. While this\n reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE\n permission can exploit it with only their access key.\n\n### Credits\n\n- **Finder:** Arvin Shivram of Brutecat Security ([@ddd](https://github.com/ddd))\n\n### References\n\n- Introducing commit: [`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091) ([PR #16484](https://github.com/minio/minio/pull/16484))\n- [MinIO AIStor](https://min.io/aistor)",
"id": "GHSA-9c4q-hq6p-c237",
"modified": "2026-05-05T15:43:25Z",
"published": "2026-04-14T00:04:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40344"
},
{
"type": "WEB",
"url": "https://github.com/minio/minio/pull/16484"
},
{
"type": "WEB",
"url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091"
},
{
"type": "PACKAGE",
"url": "https://github.com/minio/minio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads"
}
GHSA-9C5R-2FV8-6QM7
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
{
"affected": [],
"aliases": [
"CVE-2020-21991"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-28T14:15:00Z",
"severity": "CRITICAL"
},
"details": "AVE DOMINAplus \u003c=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.",
"id": "GHSA-9c5r-2fv8-6qm7",
"modified": "2022-05-24T17:49:04Z",
"published": "2022-05-24T17:49:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21991"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47822"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9C82-VPF4-HVH3
Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants.
Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.
{
"affected": [],
"aliases": [
"CVE-2025-0663"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-23T17:15:32Z",
"severity": "MODERATE"
},
"details": "A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants.\n\nBecause the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled.",
"id": "GHSA-9c82-vpf4-hvh3",
"modified": "2025-09-23T18:30:23Z",
"published": "2025-09-23T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0663"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3864"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9C97-CR35-RHC3
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00Dell EMC CloudLink 7.1.2 and all prior versions contain an Authentication Bypass Vulnerability. A remote attacker, with the knowledge of the active directory usernames, could potentially exploit this vulnerability to gain unauthorized access to the system.
{
"affected": [],
"aliases": [
"CVE-2022-34379"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell EMC CloudLink 7.1.2 and all prior versions contain an Authentication Bypass Vulnerability. A remote attacker, with the knowledge of the active directory usernames, could potentially exploit this vulnerability to gain unauthorized access to the system.",
"id": "GHSA-9c97-cr35-rhc3",
"modified": "2022-09-08T00:00:33Z",
"published": "2022-09-02T00:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34379"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000202057/dsa-2022-207-dell-emc-cloudlink-security-update-for-an-ad-users-login-without-password-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.