Vulnerability Reportminio/minio:RELEASE.2025-09-07T16-13-09Z-cpuv1

minio/minio:RELEASE.2025-09-07T16-13-09Z-cpuv1

DIGESTsha256:13582eff79c6605a2d315bdd0e70164142ea7e98fc8411e9e10d089502a6d883

Executive Summary

Threat ScoreCAUTION• 90 exposed vulnerabilities, 18 with severity >= 6.0, indicating a broad attack surface.• CVE-2026-40344 and CVE-2026-41145 (CVSS 6.97) allow unauthenticated object writes via unsigned-trailer uploads, critical for MinIO's S3 API.• CVE-2025-68121 (CVSS 6.8) permits TLS certificate validation bypass during session resumption under specific conditions.• Multiple denial-of-service vectors from stdlib flaws (e.g., CVE-2025-61726, CVE-2026-25679, CVE-2026-32283) can impact availability.• Popular community image (1.8B+ pulls) but not officially verified; trust score is 90 (RELIABLE).• Post-exploit vulnerabilities are minimal (5 total, max severity 2.7), reducing escalation risk.

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (1812M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker with knowledge of a valid access key (including the default 'minioadmin') can exploit CVE-2026-40344 or CVE-2026-41145 to write arbitrary objects to any bucket without authentication. Additional issues like CVE-2025-68121 require specific TLS configuration mutations to be exploitable. Blocking unsigned-trailer requests at the load balancer fully mitigates the top two vulnerabilities. Note that CVE-2026-33322 (JWT algorithm confusion) only applies if OIDC authentication is enabled.

Vulnerabilities

Vulnerability Log

113 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-40344	MEDIUM6.97	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty No fix yet	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-41145	MEDIUM6.97	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-68121	MEDIUM6.8	stdlib v1.24.6 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33322	MEDIUM6.66	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty No fix yet	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42151	MEDIUM6.38	github.com/prometheus/prometheus v0.303.0 fixed in 0.311.3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42154	MEDIUM6.38	github.com/prometheus/prometheus v0.303.0 fixed in 0.311.3, 0.305.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61726	MEDIUM6.38	stdlib v1.24.6 fixed in 1.24.12, 1.25.6	0.8% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-25679	MEDIUM6.38	stdlib v1.24.6 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32283	MEDIUM6.38	stdlib v1.24.6 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39820	MEDIUM6.38	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58183	MEDIUM6.38	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-41602	MEDIUM6.38	github.com/apache/thrift v0.21.0 fixed in 0.23.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-32285	MEDIUM6.38	github.com/buger/jsonparser v1.1.1 fixed in 1.1.2	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-34986	MEDIUM6.38	github.com/go-jose/go-jose/v4 v4.1.0 fixed in 4.1.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-33186	MEDIUM6.18	google.golang.org/grpc v1.71.0 fixed in 1.79.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33186	MEDIUM6.18	google.golang.org/grpc v1.72.0 fixed in 1.79.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34204	MEDIUM6.03	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-4878	MEDIUM5.95	libcap 2.48-6.el8_9 fixed in 2.48-6.el8_10.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.35.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	glibc 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-common 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	glibc-common 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-minimal-langpack 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	glibc-minimal-langpack 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2025-61727	MEDIUM5.52	stdlib v1.24.6 fixed in 1.24.11, 1.25.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39414	MEDIUM5.52	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2019-14250	MEDIUM5.5	libgcc 8.5.0-28.el8_10 No fix yet	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.24.6 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40179	MEDIUM5.18	github.com/prometheus/prometheus v0.303.0 fixed in 0.311.2-0.20260410083055-07c6232d159b	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44903	MEDIUM5.18	github.com/prometheus/prometheus v0.303.0 fixed in 0.311.3	0.1% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.24.6 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-61729	MEDIUM5.1	stdlib v1.24.6 fixed in 1.24.11, 1.25.5	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32280	MEDIUM5.1	stdlib v1.24.6 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.24.6 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33419	MEDIUM5.1	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty No fix yet	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	glibc 2.28-251.el8_10.25 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.31	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc-common 2.28-251.el8_10.25 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-common 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.31	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc-minimal-langpack 2.28-251.el8_10.25 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-minimal-langpack 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.31	0.3% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgcc 8.5.0-28.el8_10 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.24.6 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.24.6 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.31	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-common 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.31	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-common 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-minimal-langpack 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.31	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-minimal-langpack 2.28-251.el8_10.25 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Directly Exposed
CVE-2025-47914	MEDIUM4.5	golang.org/x/crypto v0.40.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58181	MEDIUM4.5	golang.org/x/crypto v0.40.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-47912	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58185	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58187	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.9, 1.25.3	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58188	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-58189	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61723	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61724	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-61725	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.12, 1.25.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.24.6 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Directly Exposed
CVE-2025-58186	MEDIUM4.5	stdlib v1.24.6 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-10543	MEDIUM4.5	github.com/eclipse/paho.mqtt.golang v1.5.0 fixed in 1.5.1	0.2% Theoretical Threat	Directly Exposed
CVE-2025-47914	MEDIUM4.5	golang.org/x/crypto v0.37.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58181	MEDIUM4.5	golang.org/x/crypto v0.37.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.28-251.el8_10.25 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-common 2.28-251.el8_10.25 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-common 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-minimal-langpack 2.28-251.el8_10.25 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-minimal-langpack 2.28-251.el8_10.25 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.28-251.el8_10.25 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-common 2.28-251.el8_10.25 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-minimal-langpack 2.28-251.el8_10.25 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-26958	LOW3.15	filippo.io/edwards25519 v1.1.0 fixed in 1.1.1	0.4% Theoretical Threat	Directly Exposed
CVE-2018-20657	LOW2.7	libgcc 8.5.0-28.el8_10 No fix yet	4.0% Low-Moderate Risk	Post-Exploit
CVE-2026-32952	LOW2.7	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Post-Exploit
CVE-2022-41409	LOW2.29	pcre2 10.32-3.el8_6 No fix yet	1.0% Theoretical Threat	Post-Exploit
CVE-2025-61728	LOW2.29	stdlib v1.24.6 fixed in 1.24.12, 1.25.6	0.6% Theoretical Threat	Post-Exploit
CVE-2025-5278	LOW2.24	coreutils-single 8.30-15.el8 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.24.6 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2021-39537	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	3.0% Low-Moderate Risk	Not Applicable
CVE-2021-39537	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	3.0% Low-Moderate Risk	Not Applicable
CVE-2020-19185	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19186	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.5% Low-Moderate Risk	Not Applicable
CVE-2020-19187	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19188	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19189	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.9% Low-Moderate Risk	Not Applicable
CVE-2020-19190	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2023-50495	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2020-19185	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19186	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.5% Low-Moderate Risk	Not Applicable
CVE-2020-19187	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19188	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19189	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.9% Low-Moderate Risk	Not Applicable
CVE-2020-19190	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2023-50495	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2018-19211	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	0.9% Theoretical Threat	Not Applicable
CVE-2018-19211	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	0.9% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.24.6 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.24.6 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.24.6 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2025-62506	NONE0	github.com/minio/minio v0.0.0-20250907161309-07c3a429bfed+dirty fixed in 0.0.0-20251015170045-c1a49490c78e	0.5% Theoretical Threat	Not Applicable
CVE-2026-2303	NONE0	go.mongodb.org/mongo-driver v1.17.3 fixed in 1.17.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.35.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable