CVE-2026-42600

UNKNOWN 0.0

MinIO: Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configured drive roots, bounded only by the MinIO process UID. The attacker sends POST minio/storage/{drivePath}/v63/rmpl with a msgpack-encoded body carrying ../ sequences in the Bucket field. The server opens the resulting path via os.OpenFile with O_RDONLY|O_NOATIME and returns its contents in the msgpack response stream. This vulnerability is fixed in RELEASE.2026-04-14T21-32-45Z.

CWE	CWE-22
Vendor	minio
Product	minio
Published	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for minio minio

Be the first to know when new unknown vulnerabilities affecting minio minio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

minio / minio

>= RELEASE.2022-07-24T01-54-52Z, < RELEASE.2026-04-14T21-32-45Z

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/minio/minio/security/advisories/GHSA-xh8f-g2qw-gcm7