# MinIO AIStor EDGE.2026-06-21T21-29-44Z

Released: 2026-06-21

This EDGE build delivers significant S3 API surface growth — a recursive
prefix-rename operation, a client-facing advisory file-locking API, an
`?unsorted=true` listing fast-path, and metadata/tagging support on multipart
completion. It also adds distributed Iceberg table compaction with a console
UI, a batch of GPU-Direct and internode RDMA robustness work, several security
hardening fixes (cross-tenant disclosure, SSRF, path traversal, credential
redaction), and broad console and observability improvements.

---

## Downloads

### Binary Downloads

| Platform | Architecture | Download                                                                 |
| -------- | ------------ | ------------------------------------------------------------------------ |
| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/edge/linux-amd64/minio)           |
| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/edge/linux-arm64/minio)           |
| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/edge/darwin-arm64/minio)          |
| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/edge/darwin-amd64/minio)          |
| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/edge/windows-amd64/minio.exe) |

### FIPS Binaries

| Platform | Architecture | Download                                                                 |
| -------- | ------------ | ------------------------------------------------------------------------ |
| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/edge/linux-amd64/minio.fips) |
| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/edge/linux-arm64/minio.fips) |

### Package Downloads

| Format | Architecture | Download                                                                                                                         |
| ------ | ------------ | -------------------------------------------------------------------------------------------------------------------------------- |
| DEB    | amd64        | [minio_20260621212944.0.0_amd64.deb](https://dl.min.io/aistor/minio/edge/linux-amd64/minio_20260621212944.0.0_amd64.deb)         |
| DEB    | arm64        | [minio_20260621212944.0.0_arm64.deb](https://dl.min.io/aistor/minio/edge/linux-arm64/minio_20260621212944.0.0_arm64.deb)         |
| RPM    | amd64        | [minio-20260621212944.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/edge/linux-amd64/minio-20260621212944.0.0-1.x86_64.rpm)   |
| RPM    | arm64        | [minio-20260621212944.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/edge/linux-arm64/minio-20260621212944.0.0-1.aarch64.rpm) |

### Container Images

```bash
# Standard
docker pull quay.io/minio/aistor/minio:EDGE.2026-06-21T21-29-44Z
podman pull quay.io/minio/aistor/minio:EDGE.2026-06-21T21-29-44Z

# FIPS
docker pull quay.io/minio/aistor/minio:EDGE.2026-06-21T21-29-44Z.fips
podman pull quay.io/minio/aistor/minio:EDGE.2026-06-21T21-29-44Z.fips
```

Note: Homebrew is only available for RELEASE builds, not EDGE builds.

---

## Security Updates

- Fixed a cross-tenant inventory disclosure where the system-warehouse read API
  could expose another tenant's inventory data (#5793).
- Fixed MCP token resurrection so revoked Model Context Protocol tokens can no
  longer be reused (#5804), and tightened MCP copy and move permission checks so
  those operations require the correct object-level grants (#5799).
- Blocked Server-Side Request Forgery from batch job endpoints to link-local and
  cloud metadata addresses (#5808).
- Redacted source credentials from batch replicate job `describe` output so they
  are no longer returned to API callers (#5806).
- Rejected path-traversal sequences in storage REST volume and path handling
  (#5772).
- Encrypted Tables maintenance configuration and job-status files at rest
  (#5817).
- Delta Sharing token and share revocations now broadcast cluster-wide, so a
  revoked credential is rejected on every node immediately (#5785).

---

## New Features

### S3 API

- **Recursive prefix rename**: added a `RenamePrefix` operation that renames an
  entire prefix tree server-side in a single call instead of copy-and-delete per
  object (#5900).
- **Advisory file locking**: added a client-facing advisory (`flock`-style) lock
  API for coordinating concurrent access from S3 clients (#5906).
- **Unsorted listings**: `ListObjectsV2` now accepts an `?unsorted=true`
  extension that skips lexical ordering for a faster listing path on large
  prefixes where order is not required (#5916).
- **Multipart metadata and tags**: `CompleteMultipartUpload` now honors
  `x-amz-meta-*` user metadata and `x-amz-tagging` headers (#5922).
- Accept a bucket-less `x-amz-rename-source` header for AWS S3 Express
  compatibility (#5789).

### Iceberg Tables

- **Distributed table compaction**: added distributed compaction for Iceberg
  tables (#4982) along with a console UI to configure and monitor compaction
  jobs (#4806).
- Added support for table tags (#5501).
- Added a post-failover replication resync path for disaster-recovery scenarios
  (#5412).
- Warehouse buckets now have versioning enabled by default (#5668).
- Added admin trigger endpoints to run snapshot expiration and unreferenced-file
  removal (UFR) on demand (#5886).
- Table monitoring now uses cluster-wide API statistics, with per-table windowed
  IOPS and throughput metrics and an improved monitoring view
  (#5745, #5637, #5374).

### Observability & Alerts

- Added realtime power-consumption metrics (#5025).
- Cert-expiry alerting now also monitors the server TLS certificate, client
  certificates, and configured CAs for upcoming expiry (#5418).
- Added an `IAMInfo` section to collected health data for richer support
  diagnostics (#5537).
- Added Set Index and Drive Index columns to the drives table for clearer
  topology mapping (#5792).

### API Logs

- Added snapshot expiry and orphan-file pruning for API logs so log storage no
  longer grows unbounded (#5618).

### Identity & Access

- Added a configurable per-user service-account limit (#5774).

### Console

- Rewrote the bucket QoS page with a table editor and inline metrics (#5530).
- Split the Users edit sheet into separate Manage and Change Password flows
  (#5662).
- Table sharing now supports editing a share description and multi-select delete
  (#5706), and removed a duplicate "Create Share" button on the Table Sharing
  page (#5657).
- The access-key create dialog now seeds the policy editor with the creating
  user's own policy as a starting point (#5681).
- Replaced the native datetime picker with a shadcn Calendar component (#5523).

---

## Performance Improvements

- GPU-Direct RDMA transfers now respect the `--api-bandwidth` cap, so the RDMA
  data path participates in cluster bandwidth shaping (#5596).
- Made the windowed stats `Add` path lock-free and removed `SaveStats`
  contention, reducing overhead on high-IOPS workloads (#5819).
- Parallelized local drive open during server startup for faster boot on
  high-drive-count nodes (#5787).
- Batched `ListObjects` decryption through a single `DecryptAll` call on the KMS
  connection, cutting per-object KMS round-trips during encrypted listings
  (#5643).
- Coalesced KMS calls by caching the unsealed object encryption key on
  `ObjectInfo` and sharing it across precondition and body decryption
  (#5636, #5673).
- Improved the in-memory metadata cache (faster xxh3 hashing and a second-chance
  eviction policy) (#5836).
- Console object uploads now run through a 4-way concurrent pool for faster
  multi-file uploads (#5515).

---

## Bug Fixes

### RDMA

- Reworked internode RDMA PUT to use a contiguous transfer with an adaptive
  inflight-bytes window for robust high-throughput writes (#5894), and fixed
  multi-NIC internode RDMA PUT path selection (#5935).
- Skip `content-sha256` verification on the RDMA path and return clean errors on
  transfer failure (#5605).

### Listing, Rename & Storage

- Deduplicated `CommonPrefixes` in unsorted multi-pool listings (#5928).
- Invalidate the `xl.meta` cache on `RenameFile` so stale metadata is not served
  after a rename (#5925).
- Unblock `DoWithContext` callers whose context was already cancelled, fixing a
  potential hang (#5129).
- Collapsed repeated XFS retry-on-error warnings into a single aggregated log
  line (#5766).

### Replication & Lifecycle

- Lifecycle expiry now waits for replication to finish before expiring objects
  by default, preventing premature deletion of not-yet-replicated data (#5435).
- Reliability fixes for Delta Sharing (#5932).

### Tables

- Skip unreferenced-file removal on tables that have a recoverable transaction
  in flight (#5736).
- Added a wait floor in the tables maintenance loop to avoid a busy spin (#5884).

### Notifications & Logging

- Stopped emitting duplicate webhook metrics for audit and console targets
  (#5672).
- Keep the Elasticsearch notification target registered when startup index
  creation fails, instead of dropping the target (#5669).
- Fixed Kafka logger produce timeout and retry handling (#5557).
- Stop emitting a spurious ERROR log when a webhook, audit, or logger target is
  actually healthy (#4849).
- Skip non-certificate files when scanning the CA directory for expiry alerts,
  avoiding false warnings (#5798).

### Identity, Config & Admin

- IAM entity create duplicate-checks now honor the backend's case sensitivity
  (#5888).
- Decoupled OpenID access-token expiration from STS credential expiration
  (#5863).
- Removed the buggy prefix-usage feature from the AccountInfo API (#5710).
- Drop removed `table_maintenance` configuration keys on upgrade so stale keys
  do not block startup (#5633).
- Bumped the license dependency to resolve a `Token.Close` data race (#5791).

### Console

- Fixed pools page double-counting healing drives in the online count (#5848).
- Removed warehouse buckets from bucket monitoring (#5599).
- Return an empty result for top-tables when no warehouses exist (#5700).
- Fixed batch replication/expiration filter fields to be independent (#5839).
- Clear stale session-cookie parts on login, refresh, and `/api/session` 401
  (#5883).
- Redirect already-authenticated users away from `/login` (#5658).
- Show inline validation errors in the bucket replication add-rule form (#5684),
  and decouple the bucket-create form and YAML editor (#5522).
- Hide the rotate-key action for KMS types that do not support it (#5853).
- Debounce the lifecycle-expiry Object Distribution search (#5811).
- Capped the datetime picker hour/minute dropdown height (#5849) and kept its
  month-navigation arrows static (#5842).
- Cleaned the empty state for the JSON editor (#5855) and prevented dialog-title
  overflow (#5640).
- Dim snowball sub-options when snowball is disabled (#5837).
- Threaded server uptime through site-replication tooltips (#5664), fixed
  breadcrumb clickability and nav-depth matching (#5690), and forwarded
  `X-Forwarded-Host` in the Vite dev proxy so console logout works (#5678).
- Fixed Object Browser info-tooltip UI issues (#5732) and aligned the QoS rule
  delete dialog with the shared confirm-to-delete UX (#5797).

---

## Improvements

- Migrated the console to the shadcn/ui component pattern across forms, alerts,
  and remaining components, with design tokens and shared primitives applied
  across multiple surfaces (#5558, #5718, #5634, #5727).
- Updated the OpenID/LDAP configuration pages with clearer layout and input
  validation (#5802).
- Renamed the Tables page to Warehouses and simplified its row actions (#5647).
- Added search-term highlighting to the alerts search (#5725).
- Moved the internal-logging toggle into the filter bar with a clear on/off
  state (#5504).
- Display the maximum version depth with an "at least N" constraint (#5582).
- Made field-description notes consistent across table and view detail pages
  (#5739).
- Standardized sheet primary actions on a "Save Changes" label (#5727).
- Simplified an overly verbose site-replication status message (#5339).
- Refreshed the Enable Encryption sheet copy and aligned its save-button label
  (#5659).
- Swapped in the updated AIStor logo and version display (#5649) and removed the
  unused stork icon from the sidebar (#5794).

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-EDGE.2026-06-21T21-29-44Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-EDGE.2026-06-21T21-29-44Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-EDGE.2026-06-21T21-29-44Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing and compliance requirements.

---

## Upgrade Instructions

For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/

Platform-specific upgrade guides:

- **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-linux/
- **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-kubernetes-helm/

### New Configuration Options

- A configurable per-user service-account limit is now available (#5774).
- Warehouse buckets are created with versioning enabled by default (#5668).
- Lifecycle expiry waits for replication to complete by default before expiring
  objects (#5435).

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io
