CVE-2026-42600

CVE-2026-42600 is a medium-severity vulnerability in Minio with a CVSS 3.x base score of 4.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.

Key facts

Description

MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.

Frequently asked questions

What is CVE-2026-42600?
MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.
How severe is CVE-2026-42600?
CVE-2026-42600 has a CVSS 3.x base score of 4.9, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2026-42600 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 8% (94th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-42600?
CVE-2026-42600 affects Minio. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-42600?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-42600 have an EU (EUVD) identifier?
Yes. CVE-2026-42600 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-29296.
When was CVE-2026-42600 published?
CVE-2026-42600 was published on 2026-05-11 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Minio

All CVEs affecting Minio →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →