CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5964 vulnerabilities reference this CWE, most recent first.
GHSA-HRH9-4G5W-7Q9J
Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2018-0886"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T17:29:00Z",
"severity": "HIGH"
},
"details": "The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka \"CredSSP Remote Code Execution Vulnerability\".",
"id": "GHSA-hrh9-4g5w-7q9j",
"modified": "2022-05-14T01:22:02Z",
"published": "2022-05-14T01:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0886"
},
{
"type": "WEB",
"url": "https://blog.preempt.com/security-advisory-credssp"
},
{
"type": "WEB",
"url": "https://github.com/preempt/credssp"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-198-03"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44453"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103265"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRHC-CX9F-G4Q6
Vulnerability from github – Published: 2025-03-07 09:30 – Updated: 2025-03-07 09:30The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
{
"affected": [],
"aliases": [
"CVE-2025-1475"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-07T07:15:23Z",
"severity": "CRITICAL"
},
"details": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the \u0027user_phone\u0027 parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.",
"id": "GHSA-hrhc-cx9f-g4q6",
"modified": "2025-03-07T09:30:34Z",
"published": "2025-03-07T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1475"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3248208"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRJX-RC7Q-37J3
Vulnerability from github – Published: 2022-05-01 17:58 – Updated: 2022-05-01 17:58Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.
{
"affected": [],
"aliases": [
"CVE-2007-1952"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-04-11T01:19:00Z",
"severity": "HIGH"
},
"details": "Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.",
"id": "GHSA-hrjx-rc7q-37j3",
"modified": "2022-05-01T17:58:49Z",
"published": "2022-05-01T17:58:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1952"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33497"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/2546"
},
{
"type": "WEB",
"url": "http://www.majorsecurity.de/index_2.php?major_rls=major_rls39"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/464884/100/0/threaded"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HRM3-3XM6-X33H
Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2023-01-10 15:49Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nanobox-io/golang-nanoauth"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20160722212129-ac0cc4484ad4"
},
{
"fixed": "0.0.0-20200131131040-063a3fb69896"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36569"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T18:54:51Z",
"nvd_published_at": "2022-12-27T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.",
"id": "GHSA-hrm3-3xm6-x33h",
"modified": "2023-01-10T15:49:55Z",
"published": "2022-12-28T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36569"
},
{
"type": "WEB",
"url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"
},
{
"type": "WEB",
"url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/nanobox-io/golang-nanoauth"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "golang-nanoauth authentication bypass vulnerability"
}
GHSA-HRPF-8Q8G-5RWF
Vulnerability from github – Published: 2022-05-02 00:01 – Updated: 2022-05-02 00:01Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen.
{
"affected": [],
"aliases": [
"CVE-2008-3611"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-09-16T23:00:00Z",
"severity": "MODERATE"
},
"details": "Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user\u0027s password by later entering an acceptable new password on the same login screen.",
"id": "GHSA-hrpf-8q8g-5rwf",
"modified": "2022-05-02T00:01:44Z",
"published": "2022-05-02T00:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3611"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31882"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1020878"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31189"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/2584"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HRR3-C733-FJ52
Vulnerability from github – Published: 2022-05-14 01:00 – Updated: 2022-05-14 01:00Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.
{
"affected": [],
"aliases": [
"CVE-2018-9148"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-30T19:29:00Z",
"severity": "CRITICAL"
},
"details": "Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.",
"id": "GHSA-hrr3-c733-fj52",
"modified": "2022-05-14T01:00:18Z",
"published": "2022-05-14T01:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9148"
},
{
"type": "WEB",
"url": "https://exploit-db.com/exploits/44350"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRRQ-73FQ-JH5M
Vulnerability from github – Published: 2022-05-17 03:50 – Updated: 2022-05-17 03:50Juniper Junos OS before 12.1X46-D50 on SRX Series devices reverts to "safe mode" authentication and allows root CLI logins without a password after a failed upgrade to 12.1X46, which might allow local users to gain privileges by leveraging use of the "request system software" command with the "partition" option.
{
"affected": [],
"aliases": [
"CVE-2016-1278"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-08-05T15:59:00Z",
"severity": "HIGH"
},
"details": "Juniper Junos OS before 12.1X46-D50 on SRX Series devices reverts to \"safe mode\" authentication and allows root CLI logins without a password after a failed upgrade to 12.1X46, which might allow local users to gain privileges by leveraging use of the \"request system software\" command with the \"partition\" option.",
"id": "GHSA-hrrq-73fq-jh5m",
"modified": "2022-05-17T03:50:32Z",
"published": "2022-05-17T03:50:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1278"
},
{
"type": "WEB",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10753"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91757"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036307"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRW5-48MV-4V6H
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.
{
"affected": [],
"aliases": [
"CVE-2015-6817"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-23T04:29:00Z",
"severity": "HIGH"
},
"details": "PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.",
"id": "GHSA-hrw5-48mv-4v6h",
"modified": "2022-05-13T01:13:50Z",
"published": "2022-05-13T01:13:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6817"
},
{
"type": "WEB",
"url": "https://github.com/pgbouncer/pgbouncer/issues/69"
},
{
"type": "WEB",
"url": "https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38"
},
{
"type": "WEB",
"url": "https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-24"
},
{
"type": "WEB",
"url": "http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/09/05/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRWX-88RH-95Q7
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2026-04-20 21:31Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
{
"affected": [],
"aliases": [
"CVE-2025-32975"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T15:15:23Z",
"severity": "CRITICAL"
},
"details": "Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.",
"id": "GHSA-hrwx-88rh-95q7",
"modified": "2026-04-20T21:31:38Z",
"published": "2025-06-26T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32975"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2025/Jun/22"
},
{
"type": "WEB",
"url": "https://seralys.com/research/CVE-2025-32975.txt"
},
{
"type": "WEB",
"url": "https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jun/25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HV4R-MVR4-25VW
Vulnerability from github – Published: 2026-04-14 23:40 – Updated: 2026-05-05 15:43Impact
What kind of vulnerability is it? Who is impacted?
An authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path
allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing
the secret key or providing a valid cryptographic signature.
Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default
minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.
PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature
verification gate based solely on the presence of the Authorization header:
newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")
Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the
X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the
Authorization header and supplies credentials exclusively via the query string. The signature gate
evaluates to false, doesSignatureMatch is never called, and the request proceeds with the
permissions of the impersonated access key.
This affects PutObjectHandler (standard and tables/warehouse bucket paths) and
PutObjectPartHandler (multipart uploads).
Affected components: cmd/object-handlers.go (PutObjectHandler),
cmd/object-multipart-handlers.go (PutObjectPartHandler).
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
The vulnerability was introduced in commit
76913a9fd
("Signed trailers for signature v4", PR #16484),
which added authTypeStreamingUnsignedTrailer support. The first affected release is
RELEASE.2023-05-18T00-05-36Z.
Patches
Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260411032012.0.0_amd64.deb |
| DEB | arm64 | minio_20260411032012.0.0_arm64.deb |
| RPM | amd64 | minio-20260411032012.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260411032012.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
-
Block unsigned-trailer requests at the load balancer. Reject any request containing
X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILERat the reverse proxy or WAF layer. Clients can useSTREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER(the signed variant) instead. -
Restrict WRITE permissions. Limit
s3:PutObjectgrants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.
Credits
- Finder: Arvin Shivram of Brutecat Security (@ddd)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/minio/minio"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20230506025312-76913a9fd5c6"
},
{
"last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41145"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T23:40:05Z",
"nvd_published_at": "2026-04-22T01:16:05Z",
"severity": "HIGH"
},
"details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nAn authentication bypass vulnerability in MinIO\u0027s `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallows any user who knows a valid access key to write arbitrary objects to any bucket without knowing\nthe secret key or providing a valid cryptographic signature.\n\nAny MinIO deployment is impacted. The attack requires only a valid access key (the well-known default\n`minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name.\n\n`PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature\nverification gate based solely on the presence of the `Authorization` header:\n\n```go\nnewUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != \"\")\n```\n\nMeanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the\n`Authorization` header and supplies credentials exclusively via the query string. The signature gate\nevaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the\npermissions of the impersonated access key.\n\nThis affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and\n`PutObjectPartHandler` (multipart uploads).\n\n**Affected components:** `cmd/object-handlers.go` (`PutObjectHandler`),\n`cmd/object-multipart-handlers.go` (`PutObjectPartHandler`).\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit\n[`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091)\n(\"Signed trailers for signature v4\", [PR #16484](https://github.com/minio/minio/pull/16484)),\nwhich added `authTypeStreamingUnsignedTrailer` support. The first affected release is\n`RELEASE.2023-05-18T00-05-36Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-04-11T03-20-12Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB | amd64 | [minio_20260411032012.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260411032012.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260411032012.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260411032012.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260411032012.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260411032012.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260411032012.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Block unsigned-trailer requests at the load balancer.** Reject any request containing\n `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer.\n Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead.\n\n- **Restrict WRITE permissions.** Limit `s3:PutObject` grants to trusted principals. While this\n reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE\n permission can exploit it with only their access key.\n\n### Credits\n\n- **Finder:** Arvin Shivram of Brutecat Security ([@ddd](https://github.com/ddd))",
"id": "GHSA-hv4r-mvr4-25vw",
"modified": "2026-05-05T15:43:33Z",
"published": "2026-04-14T23:40:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41145"
},
{
"type": "WEB",
"url": "https://github.com/minio/minio/pull/16484"
},
{
"type": "WEB",
"url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091"
},
{
"type": "PACKAGE",
"url": "https://github.com/minio/minio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads"
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.