CVE-2026-42600

CVE-2026-42600 is a medium-severity path traversal vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20220724015452, < 0.0.0-20260414213245. It is fixed in 0.0.0-20260414213245.

Summary

MinIO vulnerable to Path Traversal via msgpack Body in ReadMultiple Storage-REST Endpoint

Full technical description

Affected Versions

All MinIO releases from RELEASE.2022-07-24T01-54-52Z through the final
release of the minio/minio open-source project, RELEASE.2025-09-07T16-13-09Z.

The vulnerability was introduced in commit
f939d1c18
("Independent Multipart Uploads",
PR #15346), which added the
ReadMultiple storage-REST endpoint as part of the multipart upload
redesign. The first affected release is RELEASE.2022-07-24T01-54-52Z.

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

  • Rotate the root credential and restrict who holds it. The exploit
    requires a JWT signed with MINIO_ROOT_PASSWORD. Treat the root credential
    as the host-filesystem disclosure primitive that it is: rotate it after any
    suspected exposure, store it only in the secret manager that bootstraps the
    cluster, and do not hand it to applications or operators who only need
    object-level access.

  • Do not run the MinIO container as UID 0. Set
    securityContext.runAsNonRoot: true (and a non-zero runAsUser) in
    Kubernetes manifests, or add --user to docker run. This reduces the
    blast radius from arbitrary host-filesystem disclosure to MinIO-UID-owned
    files only.

  • Restrict the internode storage-REST port at the network layer. In
    distributed deployments, the storage-REST route is served on the same port
    as the S3 API by default. Where feasible, use --internode-port to expose
    internode traffic on a separate interface reachable only from other cluster
    peers, and block that interface from client networks.

Credits

  • Finders: Discovered by Claude, Anthropic's AI assistant, and triaged by
    Adrian Denkiewicz at Doyensec in collaboration with Anthropic
    Research
    .

Resources

Impact

What kind of vulnerability is it? Who is impacted?

A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST
endpoint allows a caller holding the cluster root JWT to read files from
outside the configured drive roots, bounded only by the MinIO process UID.

Distributed-erasure (multi-node) MinIO deployments are impacted. Single-node
standalone deployments do not register the route and are not affected. The
attack requires an HS512 JWT signed with MINIO_ROOT_PASSWORD and carrying
accessKey = MINIO_ROOT_USER, the same secret every peer in the cluster
holds to authenticate internode traffic, so a compromised peer or any actor in
possession of the root credential can mint one.

The ReadMultiple handler (cmd/storage-rest-server.go) decodes a msgpack
ReadMultipleReq body containing Bucket, Prefix, and Files fields and
forwards them to xlStorage.ReadMultiple (cmd/xl-storage.go) without
validation:

volumeDir := pathJoin(s.drivePath, req.Bucket)          // traversal resolves here
for _, f := range req.Files {
    fullPath := pathJoin(volumeDir, req.Prefix, f)
    data, mt, err = s.readAllDataWithDMTime(ctx, req.Bucket, volumeDir, fullPath)
}

pathJoin calls path.Clean, which resolves .. components and produces an
absolute path anywhere on the filesystem, it is not a root jail. The global
setRequestValidityMiddleware rejects .. in r.URL.Path and r.Form but
does not inspect request bodies, so msgpack-encoded traversal bypasses it.
Sibling storage methods (StatInfoFile, ReadFileHandler, ReadVersion)
validate their volume argument through s.getVolDir(volume), which rejects
..; ReadMultiple skips this call.

The attacker sends POST /minio/storage/{drivePath}/v63/rmpl with a
msgpack-encoded body carrying ../ sequences in the Bucket field. The
server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME
and returns its contents in the msgpack response stream.

Impact by deployment:

  • Bare-metal with User=minio in the systemd unit, the O_NOATIME
    ownership check bounds the read to files owned by the MinIO UID. Reachable
    secrets include TLS private keys, KMS/KES key material, systemd credentials,
    and data belonging to other tenants sharing the same UID on the host.
    Secrets leaked this way persist across cluster credential rotation.

  • Containerized running as UID 0 (the historical default for the official
    Docker image, docker-compose examples, and Helm charts without
    securityContext.runAsNonRoot), the primitive escalates to arbitrary
    host-filesystem disclosure: /etc/shadow, /root/**, Kubernetes
    service-account tokens, cloud-init metadata caches.

Affected components: cmd/storage-rest-server.go (ReadMultiple handler),
cmd/xl-storage.go (xlStorage.ReadMultiple).

CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory
'Path Traversal')

CVSS v4.0 Score: 6.9 (Medium)

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-42600 has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260414213245); upgrading removes the vulnerable code path.

Affected versions

github.com/minio/minio (>= 0.0.0-20220724015452, < 0.0.0-20260414213245)

Security releases

github.com/minio/minio → 0.0.0-20260414213245 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in: MinIO AIStor RELEASE.2026-04-14T21-32-45Z (recommended
upgrade target). The fix, which removed the ReadMultiple handler, the
corresponding storage-driver method, the msgpack datatypes, the REST-client
wrapper, and the route registration, first shipped in MinIO AIStor
RELEASE.2024-10-23T19-38-07Z
. Every AIStor release from
RELEASE.2024-10-23T19-38-07Z onward is unaffected; users should upgrade to
RELEASE.2026-04-14T21-32-45Z or later to pick up the accumulated fixes and
improvements shipped since.

Frequently Asked Questions

  1. What is CVE-2026-42600? CVE-2026-42600 is a medium-severity path traversal vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20220724015452, < 0.0.0-20260414213245. It is fixed in 0.0.0-20260414213245. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-42600? CVE-2026-42600 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/minio/minio are affected by CVE-2026-42600? github.com/minio/minio (go) versions >= 0.0.0-20220724015452, < 0.0.0-20260414213245 is affected.
  4. Is there a fix for CVE-2026-42600? Yes. CVE-2026-42600 is fixed in 0.0.0-20260414213245. Upgrade to this version or later.
  5. Is CVE-2026-42600 exploitable, and should I be worried? Whether CVE-2026-42600 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42600 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42600? Upgrade github.com/minio/minio to 0.0.0-20260414213245 or later.

Other vulnerabilities in github.com/minio/minio

Stop the waste.
Protect your environment with Kodem.