NIXPKGS-2026-1223

GitHub issue published on

Permalink CVE-2026-40344

updated 6 days, 12 hours ago by @LeSuisse Activity log

Created suggestion 6 days, 17 hours ago
@LeSuisse ignored
37 packages
- minion
- kminion
- minio-cpp
- minio-warp
- minio-client
- minio-certgen
- minio_legacy_fs
- perlPackages.Minion
- perl5Packages.Minion
- haskellPackages.minion
- perl538Packages.Minion
- perl540Packages.Minion
- python312Packages.minio
- python313Packages.minio
- python314Packages.minio
- haskellPackages.minio-hs
- terraform-providers.minio
- haskellPackages.minion-jwt
- haskellPackages.minion-htmx
- haskellPackages.minion-conduit
- haskellPackages.minion-openapi3
- perlPackages.MinionBackendRedis
- perlPackages.MinionBackendmysql
- haskellPackages.minion-wai-extra
- perl5Packages.MinionBackendRedis
- perl5Packages.MinionBackendmysql
- perlPackages.MinionBackendSQLite
- perl5Packages.MinionBackendSQLite
- perl538Packages.MinionBackendRedis
- perl538Packages.MinionBackendmysql
- perl540Packages.MinionBackendRedis
- perl540Packages.MinionBackendmysql
- terraform-providers.aminueza_minio
- perl538Packages.MinionBackendSQLite
- perl540Packages.MinionBackendSQLite
- home-assistant-component-tests.minio
- tests.home-assistant-components.minio
6 days, 13 hours ago
@LeSuisse ignored
2 maintainers
- @bachp
- @ryan4yin
6 days, 13 hours ago maintainer.ignore
@LeSuisse accepted 6 days, 13 hours ago
@LeSuisse published on GitHub 6 days, 12 hours ago

MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. When `authTypeStreamingUnsignedTrailer` support was added, the new auth type was handled in `PutObjectHandler` and `PutObjectPartHandler` but was never added to `PutObjectExtractHandler`. The snowball auto-extract handler's `switch rAuthType` block has no case for `authTypeStreamingUnsignedTrailer`, so execution falls through with zero signature verification. The `isPutActionAllowed` call before the switch extracts the access key and checks IAM permissions, but does not verify the cryptographic signature. An attacker sends a PUT request with `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, `X-Amz-Meta-Snowball-Auto-Extract: true`, and an `Authorization` header containing a valid access key with a completely fabricated signature. The request is accepted and the tar payload is extracted into the bucket. Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-04-11T03-20-12Z or later. If upgrading is not immediately possible, block unsigned-trailer requests at the load balancer. Reject any request containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER at the reverse proxy or WAF layer. Clients can use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER (the signed variant) instead. Alternatively, restrict WRITE permissions. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key.

References

https://github.com/minio/minio/security/advisories/GHSA-9c4q-hq6p-c237 x_refsource_CONFIRM

Ignored references (2)

https://github.com/minio/minio/pull/16484 x_refsource_MISC
https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091 x_refsource_MISC

Affected products

minio

==>= RELEASE.2023-05-18T00-05-36Z, < RELEASE.2026-04-11T03-20-12Z

Matching in nixpkgs

pkgs.minio

S3-compatible object storage server

nixos-unstable 2025-10-15T17-29-55Z
- nixpkgs-unstable 2025-10-15T17-29-55Z
- nixos-unstable-small 2025-10-15T17-29-55Z
nixos-25.11 2025-10-15T17-29-55Z
- nixos-25.11-small 2025-10-15T17-29-55Z
- nixpkgs-25.11-darwin 2025-10-15T17-29-55Z

Ignored packages (37)

pkgs.minion

Addon manager for World of Warcraft and The Elder Scrolls Online

nixos-unstable 3.0.12
- nixpkgs-unstable 3.0.12
- nixos-unstable-small 3.0.12
nixos-25.11 3.0.12
- nixos-25.11-small 3.0.12
- nixpkgs-25.11-darwin 3.0.12

pkgs.kminion

Feature-rich Prometheus exporter for Apache Kafka written in Go

nixos-unstable 2.2.13
- nixpkgs-unstable 2.2.13
- nixos-unstable-small 2.2.13
nixos-25.11 2.2.13
- nixos-25.11-small 2.2.13
- nixpkgs-25.11-darwin 2.2.13

pkgs.minio-cpp

MinIO C++ Client SDK for Amazon S3 Compatible Cloud Storage

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0

pkgs.minio-warp

S3 benchmarking tool

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

pkgs.minio-client

Replacement for ls, cp, mkdir, diff and rsync commands for filesystems and object storage

nixos-unstable 2025-08-13T08-35-41Z
- nixpkgs-unstable 2025-08-13T08-35-41Z
- nixos-unstable-small 2025-08-13T08-35-41Z
nixos-25.11 2025-08-13T08-35-41Z
- nixos-25.11-small 2025-08-13T08-35-41Z
- nixpkgs-25.11-darwin 2025-08-13T08-35-41Z

pkgs.minio-certgen

Simple Minio tool to generate self-signed certificates, and provides SAN certificates with DNS and IP entries

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.0
- nixos-25.11-small 1.4.0
- nixpkgs-25.11-darwin 1.4.0

pkgs.minio_legacy_fs

S3-compatible object storage server

nixos-25.11 2022-10-24T18-35-07Z
- nixos-25.11-small 2022-10-24T18-35-07Z
- nixpkgs-25.11-darwin 2022-10-24T18-35-07Z

pkgs.perlPackages.Minion

High performance job queue for Perl

nixos-unstable 10.31
- nixpkgs-unstable 10.31
- nixos-unstable-small 10.31
nixos-25.11 10.31
- nixos-25.11-small 10.31
- nixpkgs-25.11-darwin 10.31

pkgs.perl5Packages.Minion

High performance job queue for Perl

nixos-unstable 10.31
- nixpkgs-unstable 10.31
- nixos-unstable-small 10.31

pkgs.haskellPackages.minion

A Haskell introspectable web router

nixos-unstable 0.1.0.1
- nixpkgs-unstable 0.1.0.1
- nixos-unstable-small 0.1.0.1
nixos-25.11 0.1.0.1
- nixos-25.11-small 0.1.0.1
- nixpkgs-25.11-darwin 0.1.0.1

pkgs.perl538Packages.Minion

High performance job queue for Perl

nixos-25.11 10.31
- nixos-25.11-small 10.31
- nixpkgs-25.11-darwin 10.31

pkgs.perl540Packages.Minion

High performance job queue for Perl

nixos-25.11 10.31
- nixos-25.11-small 10.31
- nixpkgs-25.11-darwin 10.31

pkgs.python312Packages.minio

Simple APIs to access any Amazon S3 compatible object storage server

nixos-25.11 7.2.18
- nixos-25.11-small 7.2.18
- nixpkgs-25.11-darwin 7.2.18

pkgs.python313Packages.minio

Simple APIs to access any Amazon S3 compatible object storage server

nixos-unstable 7.2.20
- nixpkgs-unstable 7.2.20
- nixos-unstable-small 7.2.20
nixos-25.11 7.2.18
- nixos-25.11-small 7.2.18
- nixpkgs-25.11-darwin 7.2.18

pkgs.python314Packages.minio

Simple APIs to access any Amazon S3 compatible object storage server

nixos-unstable 7.2.20
- nixpkgs-unstable 7.2.20
- nixos-unstable-small 7.2.20

pkgs.haskellPackages.minio-hs

A MinIO Haskell Library for Amazon S3 compatible cloud storage

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.terraform-providers.minio

None

nixos-unstable 3.32.1
- nixpkgs-unstable 3.30.0
- nixos-unstable-small 3.32.1
nixos-25.11 3.11.4
- nixos-25.11-small 3.11.4
- nixpkgs-25.11-darwin 3.11.4

pkgs.haskellPackages.minion-jwt

Minion JWT support

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.haskellPackages.minion-htmx

Minion HTMX support

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.haskellPackages.minion-conduit

Minion conduit support

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.haskellPackages.minion-openapi3

Minion openapi3 support

nixos-unstable openapi3-0.1.0.1
- nixpkgs-unstable openapi3-0.1.0.1
- nixos-unstable-small openapi3-0.1.0.1
nixos-25.11 openapi3-0.1.0.1
- nixos-25.11-small openapi3-0.1.0.1
- nixpkgs-25.11-darwin openapi3-0.1.0.1

pkgs.perlPackages.MinionBackendRedis

Redis backend for Minion job queue

nixos-unstable 0.003
- nixpkgs-unstable 0.003
- nixos-unstable-small 0.003
nixos-25.11 0.003
- nixos-25.11-small 0.003
- nixpkgs-25.11-darwin 0.003

pkgs.perlPackages.MinionBackendmysql

MySQL backend for the Minion job queue

nixos-unstable 1.003
- nixpkgs-unstable 1.003
- nixos-unstable-small 1.003
nixos-25.11 1.003
- nixos-25.11-small 1.003
- nixpkgs-25.11-darwin 1.003

pkgs.haskellPackages.minion-wai-extra

Minion wrappers for wai-extra

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0