Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5964 vulnerabilities reference this CWE, most recent first.

GHSA-HRH9-4G5W-7Q9J

Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22
VLAI
Details

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-14T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka \"CredSSP Remote Code Execution Vulnerability\".",
  "id": "GHSA-hrh9-4g5w-7q9j",
  "modified": "2022-05-14T01:22:02Z",
  "published": "2022-05-14T01:22:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0886"
    },
    {
      "type": "WEB",
      "url": "https://blog.preempt.com/security-advisory-credssp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/preempt/credssp"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-198-03"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44453"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103265"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRHC-CX9F-G4Q6

Vulnerability from github – Published: 2025-03-07 09:30 – Updated: 2025-03-07 09:30
VLAI
Details

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-07T07:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the \u0027user_phone\u0027 parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.",
  "id": "GHSA-hrhc-cx9f-g4q6",
  "modified": "2025-03-07T09:30:34Z",
  "published": "2025-03-07T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1475"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3248208"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRJX-RC7Q-37J3

Vulnerability from github – Published: 2022-05-01 17:58 – Updated: 2022-05-01 17:58
VLAI
Details

Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-1952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-04-11T01:19:00Z",
    "severity": "HIGH"
  },
  "details": "Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.",
  "id": "GHSA-hrjx-rc7q-37j3",
  "modified": "2022-05-01T17:58:49Z",
  "published": "2022-05-01T17:58:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1952"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33497"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/2546"
    },
    {
      "type": "WEB",
      "url": "http://www.majorsecurity.de/index_2.php?major_rls=major_rls39"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/464884/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HRM3-3XM6-X33H

Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2023-01-10 15:49
VLAI
Summary
golang-nanoauth authentication bypass vulnerability
Details

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nanobox-io/golang-nanoauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20160722212129-ac0cc4484ad4"
            },
            {
              "fixed": "0.0.0-20200131131040-063a3fb69896"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T18:54:51Z",
    "nvd_published_at": "2022-12-27T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.",
  "id": "GHSA-hrm3-3xm6-x33h",
  "modified": "2023-01-10T15:49:55Z",
  "published": "2022-12-28T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36569"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nanobox-io/golang-nanoauth"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2020-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang-nanoauth authentication bypass vulnerability"
}

GHSA-HRPF-8Q8G-5RWF

Vulnerability from github – Published: 2022-05-02 00:01 – Updated: 2022-05-02 00:01
VLAI
Details

Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-09-16T23:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user\u0027s password by later entering an acceptable new password on the same login screen.",
  "id": "GHSA-hrpf-8q8g-5rwf",
  "modified": "2022-05-02T00:01:44Z",
  "published": "2022-05-02T00:01:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3611"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45171"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31882"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1020878"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31189"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-260A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2584"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HRR3-C733-FJ52

Vulnerability from github – Published: 2022-05-14 01:00 – Updated: 2022-05-14 01:00
VLAI
Details

Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-30T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.",
  "id": "GHSA-hrr3-c733-fj52",
  "modified": "2022-05-14T01:00:18Z",
  "published": "2022-05-14T01:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9148"
    },
    {
      "type": "WEB",
      "url": "https://exploit-db.com/exploits/44350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRRQ-73FQ-JH5M

Vulnerability from github – Published: 2022-05-17 03:50 – Updated: 2022-05-17 03:50
VLAI
Details

Juniper Junos OS before 12.1X46-D50 on SRX Series devices reverts to "safe mode" authentication and allows root CLI logins without a password after a failed upgrade to 12.1X46, which might allow local users to gain privileges by leveraging use of the "request system software" command with the "partition" option.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-05T15:59:00Z",
    "severity": "HIGH"
  },
  "details": "Juniper Junos OS before 12.1X46-D50 on SRX Series devices reverts to \"safe mode\" authentication and allows root CLI logins without a password after a failed upgrade to 12.1X46, which might allow local users to gain privileges by leveraging use of the \"request system software\" command with the \"partition\" option.",
  "id": "GHSA-hrrq-73fq-jh5m",
  "modified": "2022-05-17T03:50:32Z",
  "published": "2022-05-17T03:50:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1278"
    },
    {
      "type": "WEB",
      "url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10753"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91757"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036307"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRW5-48MV-4V6H

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13
VLAI
Details

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-6817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-23T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.",
  "id": "GHSA-hrw5-48mv-4v6h",
  "modified": "2022-05-13T01:13:50Z",
  "published": "2022-05-13T01:13:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6817"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgbouncer/pgbouncer/issues/69"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38"
    },
    {
      "type": "WEB",
      "url": "https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-24"
    },
    {
      "type": "WEB",
      "url": "http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/09/05/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRWX-88RH-95Q7

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2026-04-20 21:31
VLAI
Details

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32975"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-24T15:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.",
  "id": "GHSA-hrwx-88rh-95q7",
  "modified": "2026-04-20T21:31:38Z",
  "published": "2025-06-26T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32975"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2025/Jun/22"
    },
    {
      "type": "WEB",
      "url": "https://seralys.com/research/CVE-2025-32975.txt"
    },
    {
      "type": "WEB",
      "url": "https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jun/25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HV4R-MVR4-25VW

Vulnerability from github – Published: 2026-04-14 23:40 – Updated: 2026-05-05 15:43
VLAI
Summary
MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads
Details

Impact

What kind of vulnerability is it? Who is impacted?

An authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature.

Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default minioadmin, or any key with WRITE permission on a bucket) and a target bucket name.

PutObjectHandler and PutObjectPartHandler call newUnsignedV4ChunkedReader with a signature verification gate based solely on the presence of the Authorization header:

newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "")

Meanwhile, isPutActionAllowed extracts credentials from either the Authorization header or the X-Amz-Credential query parameter, and trusts whichever it finds. An attacker omits the Authorization header and supplies credentials exclusively via the query string. The signature gate evaluates to false, doesSignatureMatch is never called, and the request proceeds with the permissions of the impersonated access key.

This affects PutObjectHandler (standard and tables/warehouse bucket paths) and PutObjectPartHandler (multipart uploads).

Affected components: cmd/object-handlers.go (PutObjectHandler), cmd/object-multipart-handlers.go (PutObjectPartHandler).

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit 76913a9fd ("Signed trailers for signature v4", PR #16484), which added authTypeStreamingUnsignedTrailer support. The first affected release is RELEASE.2023-05-18T00-05-36Z.

Patches

Fixed in: MinIO AIStor RELEASE.2026-04-11T03-20-12Z

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Format Architecture Download
DEB amd64 minio_20260411032012.0.0_amd64.deb
DEB arm64 minio_20260411032012.0.0_arm64.deb
RPM amd64 minio-20260411032012.0.0-1.x86_64.rpm
RPM arm64 minio-20260411032012.0.0-1.aarch64.rpm

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

  • Block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead.

  • Restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

Credits

  • Finder: Arvin Shivram of Brutecat Security (@ddd)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20230506025312-76913a9fd5c6"
            },
            {
              "last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:40:05Z",
    "nvd_published_at": "2026-04-22T01:16:05Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nAn authentication bypass vulnerability in MinIO\u0027s `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path\nallows any user who knows a valid access key to write arbitrary objects to any bucket without knowing\nthe secret key or providing a valid cryptographic signature.\n\nAny MinIO deployment is impacted. The attack requires only a valid access key (the well-known default\n`minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name.\n\n`PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature\nverification gate based solely on the presence of the `Authorization` header:\n\n```go\nnewUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != \"\")\n```\n\nMeanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the\n`X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the\n`Authorization` header and supplies credentials exclusively via the query string. The signature gate\nevaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the\npermissions of the impersonated access key.\n\nThis affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and\n`PutObjectPartHandler` (multipart uploads).\n\n**Affected components:** `cmd/object-handlers.go` (`PutObjectHandler`),\n`cmd/object-multipart-handlers.go` (`PutObjectPartHandler`).\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit\n[`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091)\n(\"Signed trailers for signature v4\", [PR #16484](https://github.com/minio/minio/pull/16484)),\nwhich added `authTypeStreamingUnsignedTrailer` support. The first affected release is\n`RELEASE.2023-05-18T00-05-36Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-04-11T03-20-12Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio)           |\n| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio)           |\n| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio)          |\n| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio)          |\n| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download                                                                                                                            |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB    | amd64        | [minio_20260411032012.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260411032012.0.0_amd64.deb)         |\n| DEB    | arm64        | [minio_20260411032012.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260411032012.0.0_arm64.deb)         |\n| RPM    | amd64        | [minio-20260411032012.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86_64.rpm)   |\n| RPM    | arm64        | [minio-20260411032012.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260411032012.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Block unsigned-trailer requests at the load balancer.** Reject any request containing\n  `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer.\n  Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead.\n\n- **Restrict WRITE permissions.** Limit `s3:PutObject` grants to trusted principals. While this\n  reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE\n  permission can exploit it with only their access key.\n\n### Credits\n\n- **Finder:** Arvin Shivram of Brutecat Security ([@ddd](https://github.com/ddd))",
  "id": "GHSA-hv4r-mvr4-25vw",
  "modified": "2026-05-05T15:43:33Z",
  "published": "2026-04-14T23:40:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-hv4r-mvr4-25vw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/pull/16484"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MinIO has an Unauthenticated Object Write via Query-String Credential Signature Bypass in Unsigned-Trailer Uploads"
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.