Bitnami package

minio

pkg:bitnami/minio

Vulnerabilities (26)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2026-42600	Med	—		>= 2022.07.24	—	May 11, 2026	MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outs
CVE-2026-41145	Hig	8.2		>= 2023.05.18	—	Apr 22, 2026	MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to
CVE-2026-40344	Hig	8.2		>= 2023.05.18	—	Apr 22, 2026	MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid acc
CVE-2026-39414	Med	6.5		>= 2018.08.18, < 2026.04.10	2026.04.10	Apr 8, 2026	MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's next
CVE-2026-34204	Hig	7.1		>= 2024.03.30	—	Mar 31, 2026	MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Mi
CVE-2026-33419	Hig	7.5		< 2026.03.17	2026.03.17	Mar 24, 2026	MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error respo
CVE-2026-33322	Cri	9.8		>= 2022.11.08, < 2026.03.17	2026.03.17	Mar 24, 2026	MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary iden
CVE-2025-62506	Hig	8.1		< 2025.10.15	2025.10.15	Oct 16, 2025	MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrict
CVE-2025-31489	Hig	—		< 2023.12.23	2023.12.23	Apr 3, 2025	MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRI
CVE-2025-27414	Med	—		>= 2024.6.6, < 2025.2.28	2025.2.28	Feb 28, 2025	MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO
CVE-2024-55949	Cri	—		>= 2022.6.23, < 2024.12.13	2024.12.13	Dec 16, 2024	MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in com
CVE-2024-36107	Med	5.3		< 2024.5.27	2024.5.27	May 28, 2024	MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not o
CVE-2024-24747		—		>= 2024.1.31, < 2024.2.4	2024.2.4	Jan 31, 2024	MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:` actions, but also `admin:` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, a
CVE-2023-28434		—	KEV	< 2023.03.20	2023.03.20	Mar 22, 2023	Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requi
CVE-2023-28433		—		< 2023.03.20	2023.03.20	Mar 22, 2023	Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as
CVE-2023-28432		—	KEV	>= 2019.12.17, < 2023.03.20	2023.03.20	Mar 22, 2023	Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information
CVE-2023-27589		—		>= 2020.12.23, < 2023.03.13	2023.03.13	Mar 14, 2023	Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created succ
CVE-2023-25812		—		>= 2020.04.10, < 2023.02.17	2023.02.17	Feb 21, 2023	Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: tr
CVE-2022-35919		—		< 2022.07.29	2022.07.29	Aug 1, 2022	MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS
CVE-2022-31028		—		>= 2019.09.25, < 2022.06.02	2022.06.02	Jun 3, 2022	MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the

CVE-2026-42600MedMay 11, 2026
affected >= 2022.07.24
MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outs
CVE-2026-41145HigApr 22, 2026
affected >= 2023.05.18
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to
CVE-2026-40344HigApr 22, 2026
affected >= 2023.05.18
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid acc
CVE-2026-39414MedApr 8, 2026
affected >= 2018.08.18, < 2026.04.10fixed 2026.04.10
MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's next
CVE-2026-34204HigMar 31, 2026
affected >= 2024.03.30
MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Mi
CVE-2026-33419HigMar 24, 2026
affected < 2026.03.17fixed 2026.03.17
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error respo
CVE-2026-33322CriMar 24, 2026
affected >= 2022.11.08, < 2026.03.17fixed 2026.03.17
MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary iden
CVE-2025-62506HigOct 16, 2025
affected < 2025.10.15fixed 2025.10.15
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrict
CVE-2025-31489HigApr 3, 2025
affected < 2023.12.23fixed 2023.12.23
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRI
CVE-2025-27414MedFeb 28, 2025
affected >= 2024.6.6, < 2025.2.28fixed 2025.2.28
MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO
CVE-2024-55949CriDec 16, 2024
affected >= 2022.6.23, < 2024.12.13fixed 2024.12.13
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in com
CVE-2024-36107MedMay 28, 2024
affected < 2024.5.27fixed 2024.5.27
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not o
CVE-2024-24747Jan 31, 2024
affected >= 2024.1.31, < 2024.2.4fixed 2024.2.4
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, a
CVE-2023-28434KEVMar 22, 2023
affected < 2023.03.20fixed 2023.03.20
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requi
CVE-2023-28433Mar 22, 2023
affected < 2023.03.20fixed 2023.03.20
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as
CVE-2023-28432KEVMar 22, 2023
affected >= 2019.12.17, < 2023.03.20fixed 2023.03.20
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information
CVE-2023-27589Mar 14, 2023
affected >= 2020.12.23, < 2023.03.13fixed 2023.03.13
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created succ
CVE-2023-25812Feb 21, 2023
affected >= 2020.04.10, < 2023.02.17fixed 2023.02.17
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: tr
CVE-2022-35919Aug 1, 2022
affected < 2022.07.29fixed 2022.07.29
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS
CVE-2022-31028Jun 3, 2022
affected >= 2019.09.25, < 2022.06.02fixed 2022.06.02
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the

Page 1 of 2