Storage

In MinIO versions RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z a medium severity vulnerability CVE-2026-42600 was detected. This vulnerability allows an attacker holding the cluster root JWT to read arbitrary files from outside the configured drive roots via a path traversal attack. This occurs because the ReadMultiple internode storage-REST endpoint improperly processes a msgpack-encoded POST request containing “../” sequences in the Bucket field, causing the server to open and return the contents of unintended files (bounded only by the MinIO process UID). To address this issue, users should upgrade MinIO to version RELEASE.2026-04-14T21-32-45Z. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42600.

In MinIO versions RELEASE.2023-05-18T00-05-36Z to versions prior to RELEASE.2026-04-11T03-20-12Z a high severity vulnerability CVE-2026-41145 was detected. This vulnerability allows attackers with a valid access key to bypass authentication and write arbitrary objects to any bucket without a secret key or valid cryptographic signature by exploiting the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. To address this issue, users should upgrade MinIO to versions RELEASE.2026-04-11T03-20-12Z or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-41145.

In MinIO versions RELEASE.2023-05-18T00-05-36Z to versions prior to RELEASE.2026-04-11T03-20-12Z a high severity vulnerability CVE-2026-40344 was detected. This vulnerability allows attackers who know a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature, due to missing signature verification for unsigned-trailer uploads in the Snowball auto-extract handler. To address this issue, users should upgrade MinIO to versions RELEASE.2026-04-11T03-20-12Z or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40344.

In MinIO versions from RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z high severity vulnerability CVE-2026-39414 was detected. This vulnerability allows authenticated attackers to cause an Out-of-Memory (OOM) crash and denial of service by uploading specially crafted CSV files without newline characters, which triggers unlimited memory allocation during S3 Select processing. To address this issue users must upgrade to MinIO AIStor RELEASE.2025-12-20T04-58-37Z version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-39414.

In MinIO versions starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z a medium severity vulnerability CVE-2025-27414 was detected. This vulnerability allows attackers to bypass authentication and gain unauthorized data access by exploiting a bug in evaluating the trust of the SSH key used in an SFTP connection. To address this issue, users should upgrade MinIO to version RELEASE.2025-02-28T09-55-16Z. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27414.

In Nextcloud Server and Enterprise Server versions from 22.0.0 to 24.0.6 a medium severity vulnerability was detected. This vulnerability allows shared items to remain accessible to users after they are removed from a group, even when the server is configured to restrict sharing within groups. To address this issue, users should upgrade to Nextcloud Server versions 22.2.11, 23.0.11, or 24.0.6, and Nextcloud Enterprise Server versions 22.2.11, 23.0.11, or 24.0.6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52516.

In Nextcloud Server and Enterprise Server versions from 25.0.0 to 30.0.1 a medium severity vulnerability CVE-2024-52517 was detected. This vulnerability allows attackers with access to an active user session to read global credentials in plain text. To address this issue, users should upgrade to Nextcloud Server versions 28.0.11, 29.0.8, or 30.0.1 and Nextcloud Enterprise Server versions 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8, or 30.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52517.

In MinIO versions from RELEASE.2022-06-25T15-50-16Z to RELEASE.2024-12-13T22-19-12Z a critical severity vulnerability CVE-2024-55949 was found. This vulnerability allows attackers to gain higher privileges. To address this issue, users are advised to upgrade to MinIO version RELEASE.2024-12-13T22-19-12Z or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-55949.

In Nextcloud Desktop Client versions 3.13.1 through 3.13.3 on Linux a critical severity vulnerability CVE-2024-46958 was detected. This vulnerability allows synchronized files between the server and client to become world writable or world readable. To address this issue, updating to version 3.13.4 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-46958.