PatchSiren cyber security CVE debrief
CVE-2026-42600 minio CVE debrief
A path traversal vulnerability in MinIO's internode storage-REST endpoint allows cluster root JWT holders to read arbitrary files outside configured drive roots. The vulnerability exists in the ReadMultiple (rmpl) endpoint, where unsanitized ../ sequences in the Bucket field of a msgpack-encoded request body enable filesystem traversal. The server opens the resulting path with O_RDONLY|O_NOATIME and returns contents in the response stream. Attack scope is bounded by the MinIO process UID. This affects distributed MinIO deployments where internode storage-REST traffic is exposed. The attack requires pre-existing compromise of cluster root JWT credentials, limiting applicability to scenarios where an attacker has already obtained high-privilege access or can intercept/manipulate internode traffic.
- Vendor
- minio
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-05-26
Who should care
MinIO cluster administrators, security teams managing distributed object storage, organizations with compliance requirements for data segregation
Technical summary
The ReadMultiple storage-REST endpoint (v63/rmpl) fails to sanitize directory traversal sequences in the Bucket field of msgpack request bodies. An authenticated caller with cluster root JWT can construct requests where Bucket contains ../ sequences escaping the configured drive root. The server constructs a filesystem path from the drivePath URL parameter and Bucket field, then opens it via os.OpenFile with O_RDONLY|O_NOATIME flags. File contents are streamed back in the msgpack response. The vulnerability spans approximately 45 months of releases. Fix implements proper path sanitization to prevent traversal outside drive roots.
Defensive priority
medium
Recommended defensive actions
- Upgrade MinIO to RELEASE.2026-04-14T21-32-45Z or later
- Audit cluster root JWT distribution and rotation practices
- Restrict internode storage-REST endpoint exposure to authorized cluster nodes only
- Monitor for anomalous POST requests to /minio/storage/*/v63/rmpl endpoints
- Review filesystem permissions to ensure MinIO process runs with minimal required privileges
- Implement network segmentation to limit internode traffic to cluster-internal networks
Evidence notes
Vulnerability confirmed via NVD with CVSS 4.0 vector. Affected versions span from RELEASE.2022-07-24T01-54-52Z through releases before RELEASE.2026-04-14T21-32-45Z. CWE-22 (Path Traversal) classification from GitHub Security Advisory. Fix confirmed in RELEASE.2026-04-14T21-32-45Z per vendor advisory.
Official resources
-
CVE-2026-42600 CVE record
CVE.org
-
CVE-2026-42600 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory
2026-05-11T22:22:11.567Z