# MinIO AIStor RELEASE.2026-03-17T21-25-16Z Released: March 18, 2026 This release patches two critical authentication vulnerabilities: [CVE-2026-33322](https://github.com/advisories/GHSA-5cx5-wh4m-82fh) (CVSS 9.2) allowed JWT token forgery via OIDC algorithm confusion, and [CVE-2026-33419](https://github.com/advisories/GHSA-jv87-32hw-hh99) (CVSS 9.1) allowed unauthenticated username enumeration and unlimited brute-force attacks against the LDAP STS endpoint. It also eliminates CVE GO-2026-4514 by replacing the vulnerable `buger/jsonparser` dependency with a purpose-built internal parser, adds resilient startup when peer DNS is unavailable, and resolves several replication, batch-job, and tiering bugs. **Immediate upgrade is strongly recommended for all deployments using OIDC or LDAP authentication.** --- ## Downloads ### Binary Downloads | Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) | | Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) | | macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) | | macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) | | Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) | ### FIPS Binaries | Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) | | Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) | ### Package Downloads | Format | Architecture | Download | | ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | | DEB | amd64 | [minio_20260317212516.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260317212516.0.0_amd64.deb) | | DEB | arm64 | [minio_20260317212516.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260317212516.0.0_arm64.deb) | | RPM | amd64 | [minio-20260317212516.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260317212516.0.0-1.x86_64.rpm) | | RPM | arm64 | [minio-20260317212516.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260317212516.0.0-1.aarch64.rpm) | ### Container Images ```bash # Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z # FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips ``` ### Homebrew (macOS) ```bash brew install minio/aistor/minio ``` --- ## Security Updates - **CVE-2026-33322** (Critical, CVSS 9.2): Fixed a JWT algorithm confusion vulnerability in OIDC authentication ([GHSA-5cx5-wh4m-82fh](https://github.com/advisories/GHSA-5cx5-wh4m-82fh)). An attacker with knowledge of the OIDC `ClientSecret` could forge JWT tokens to impersonate any user, including administrators, and obtain S3 credentials with full privileges. The fix restricts JWT signing algorithms to only those declared by the OIDC provider's discovery document (#3359). All deployments using OIDC authentication should upgrade immediately. Affected versions: `RELEASE.2022-11-08T05-27-07Z` through `RELEASE.2026-03-12T15-15-27Z` - **CVE-2026-33419** (Critical, CVSS 9.1): Fixed username enumeration and missing rate limiting on the STS `AssumeRoleWithLDAPIdentity` endpoint ([GHSA-jv87-32hw-hh99](https://github.com/advisories/GHSA-jv87-32hw-hh99)). Distinguishable error responses allowed an unauthenticated attacker to enumerate valid LDAP usernames, and the absence of rate limiting permitted unlimited password-guessing attempts to obtain temporary STS credentials. This release normalizes error responses so that "user not found" and "wrong password" are indistinguishable to clients (#3379), adds three-dimensional rate limiting (per-IP, per-LDAP-user, global) to all STS endpoints (#3380), and fixes an ordering bug where a single abusive IP could drain the global rate-limit budget (#3392). All deployments using LDAP authentication should upgrade immediately - **CVE GO-2026-4514**: Replaced the vulnerable third-party `buger/jsonparser` library with a purpose-built internal JSON parser, eliminating a denial-of-service vulnerability in the upstream library's `Delete` function. The new parser also delivers a ~17% performance improvement for JWT token parsing (a4a4470) --- ## New Features - **STS endpoint rate limiting**: Added three-dimensional rate limiting to all STS authentication endpoints to protect against brute-force attacks and LDAP server lockout. Three new environment variables control the limits (#3380): - `MINIO_STS_RATE_LIMIT_PER_IP` — per-IP limit (default: 10 req/s) - `MINIO_STS_RATE_LIMIT_PER_LDAP_USER` — per-LDAP-user limit (default: 5 req/s) - `MINIO_STS_RATE_LIMIT_GLOBAL` — global per-node limit (default: 50 req/s) - Set any limit to `0` to disable it - **Resilient startup when peer hostnames cannot be resolved**: MinIO AIStor no longer refuses to start when a peer endpoint's DNS lookup fails. Unresolvable peers are marked offline and handled by erasure quorum degraded-capacity logic. A background resolver loop retries with exponential backoff (5 s to 5 min) and automatically promotes peers when DNS recovers, eliminating full-cluster outages caused by a single unavailable DNS entry (#3329) --- ## Bug Fixes ### Batch Jobs - Fixed a race condition in batch job cancellation where the completion goroutine could re-create a deleted report after `CancelBatchJob` removed it. `BatchJobStatus` now correctly returns "no such job" after cancellation (#3362) - Fixed a related race in the batch expire saver goroutine that could similarly re-create a deleted report after cancellation (#3363) ### Replication - Fixed FULL_OBJECT checksum multipart replication failures. The `x-amz-checksum-type` header was silently dropped during replication, causing the target to default to COMPOSITE mode and reject the source's FULL_OBJECT checksum at CompleteMultipartUpload. This affected FTP/SFTP uploads (always FULL_OBJECT multipart) and explicit `--checksum crc32c-FO` uploads. Regression from RELEASE.2025-08-13T17-08-54Z (#3373) - Fixed the `replication_recent_backlog_count` metric remaining stale at its last non-zero value after the backlog cleared, instead of resetting to 0 (#3338) ### Delta Sharing - Fixed empty `partitionValues` in Delta Sharing file entries for Iceberg (UniForm) tables. Partition values were looked up by loop index instead of field ID, and non-identity transforms used synthetic names instead of source column names. Strict clients such as Databricks now receive correct partition data (#3383) - Fixed partition column names using synthetic Iceberg names instead of actual source column names for transform-based partitioning, and fixed decimal types serialized in Iceberg JSON format instead of the Delta Lake `decimal(P,S)` string form (#3365) ### Tiering - Suppressed spurious warm-tier validation error logs when a transitioned object is not found in the remote tier — an expected condition after object deletion (#3390) ### Encryption - SSE-C (server-side encryption with customer-provided keys) is now explicitly rejected for Tables (warehouse) buckets. Users must use SSE-S3 or SSE-KMS instead (#3382) - Fixed a race condition where a stale catalog refresh could overwrite a concurrent encryption configuration update for Tables (warehouse) buckets (#3364) ### Admin API - Restored missing `Region` and `SQSARN` fields in server/cluster info admin API responses (#3353) --- ## Performance Improvements - JWT token parsing is ~17% faster (geomean across operations) with zero allocation regression, as a side effect of the `buger/jsonparser` replacement (a4a4470) --- ## Improvements - Restored structured, human-readable log formatting for console and stdout log targets with colored output, timestamps, and trace information (#3369) --- ## Security & Compliance ### Software Bill of Materials (SBOM) This release includes comprehensive SBOM documentation in multiple formats: - [SPDX JSON](sbom-RELEASE.2026-03-17T21-25-16Z.spdx.json) - Standard SBOM format - [CycloneDX JSON](sbom-RELEASE.2026-03-17T21-25-16Z.cyclonedx.json) - Security scanner compatible - [Go Modules](go-modules-RELEASE.2026-03-17T21-25-16Z.txt) - Human-readable dependency list SBOM files document all direct and transitive dependencies for security auditing and compliance requirements. --- ## Upgrade Instructions For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/ Platform-specific upgrade guides: - **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-linux/ - **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-kubernetes-helm/ ### New Configuration Options | Variable | Default | Description | | ------------------------------------ | ------- | --------------------------------------------------------- | | `MINIO_STS_RATE_LIMIT_PER_IP` | `10` | Max STS requests per second per IP address (0 to disable) | | `MINIO_STS_RATE_LIMIT_PER_LDAP_USER` | `5` | Max STS requests per second per LDAP user (0 to disable) | | `MINIO_STS_RATE_LIMIT_GLOBAL` | `50` | Max STS requests per second per node (0 to disable) | ### Support For enterprise support: - SUBNET Support: https://subnet.min.io - Documentation: https://docs.min.io