MEDIUM SeverityCVSS 4.06.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVE-2026-42600

Last updated May 11, 2026 · Published May 11, 2026

Description

MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.

Affected products

1 listed

minio:minio

Mappings

CWE

CWE-22

CAPEC

None listed.

Research

Guides

JWT Security Best PracticesWhat to validate, rotate, and avoid in real systems.

Training

Secure File HandlingUploads, storage, and serving files without opening the door to attackers.

CVE-2026-42600

Description

Affected products

Mappings

Related