# MinIO AIStor RELEASE.2026-03-26T21-24-40Z Released: March 27, 2026 This release addresses critical security vulnerabilities in replication header handling and Iceberg Tables property validation, fixes several IAM service account broadcast issues in distributed clusters, and resolves a data-integrity bug in O_DIRECT reads that caused spurious corruption errors on GET requests. --- ## Downloads ### Binary Downloads | Platform | Architecture | Download | | -------- | ------------ | ----------------------------------------------------------------------------------------- | | Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) | | Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) | | macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) | | macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) | | Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) | ### FIPS Binaries | Platform | Architecture | Download | | -------- | ------------ | ----------------------------------------------------------------------------------------- | | Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) | | Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) | ### Package Downloads | Format | Architecture | Download | | ------ | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------- | | DEB | amd64 | [minio\_20260326212440.0.0\_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260326212440.0.0_amd64.deb) | | DEB | arm64 | [minio\_20260326212440.0.0\_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260326212440.0.0_arm64.deb) | | RPM | amd64 | [minio-20260326212440.0.0-1.x86\_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260326212440.0.0-1.x86_64.rpm) | | RPM | arm64 | [minio-20260326212440.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260326212440.0.0-1.aarch64.rpm) | ### Container Images ```bash # Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z # FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips ``` ### Homebrew (macOS) - RELEASE builds only ```bash brew install minio/aistor/minio ``` --- ## Security Updates - **Replication header injection vulnerability — [CVE-2026-34204](https://nvd.nist.gov/vuln/detail/CVE-2026-34204) / [GHSA-3rh2-v3gr-35p9](https://github.com/advisories/GHSA-3rh2-v3gr-35p9) (High, CVSS 7.1)** — Fixed a security issue where clients with ordinary `s3:PutObject` permission could inject internal SSE encryption metadata via `X-Minio-Replication-*` headers, making uploaded objects permanently unreadable through the S3 API. Replication SSE headers are now only processed on genuine replication ingress requests (#3510) - **Iceberg Tables reserved property bypass** — Closed a security gap where reserved storage properties (`write.data.path`, `write.metadata.location`, etc.) could be modified through commit operations on Tables, Views, and multi-table transactions, potentially redirecting data writes outside the managed warehouse bucket. The same validation enforced at creation time is now applied to all commit endpoints (#3523) --- ## Bug Fixes ### Data Integrity - **O_DIRECT read corruption on unaligned shard files** — Fixed intermittent "file is corrupted" errors on GET requests for objects whose per-shard bitrot file size is not a multiple of 4096 bytes and exceeds the 1 MiB erasure block size. The root cause was an aligned-read buffer overshoot that overwrote unconsumed bitrot hash data in the ring buffer. Most visible on low-parity (EC:1) configurations where no spare shard was available for reconstruction (#3522) ### IAM & Authentication - **Service account broadcast misclassification** — Fixed a bug where service accounts became unrecognizable as such on follower nodes after IAM cache broadcast, causing them to incorrectly appear as top-level IAM users in `mc admin accesskey ls`. The fix ensures `IsServiceAccount()` correctly identifies non-temp credentials by `ParentUser` alone, removing the dependency on Claims data that could be lost during broadcast serialization (#3532) - **Service account credential and policy broadcast staleness** — Resolved an issue where service accounts created on the leader node intermittently stopped working on follower nodes after the periodic IAM broadcast cycle. Transport fields (`CredentialsJSON`, `PolicyJSON`, `RevokeInfoJSON`) are now serialized at broadcast time rather than at creation time, ensuring Claims and policy data are fully populated before transmission (#3528) - **Inventory job creation failure with STS credentials** — Fixed a 500 error when creating bucket inventory configurations through the MinIO Console UI. The handler previously attempted to look up ephemeral STS tokens in the IAM store where they are never persisted; it now uses the pre-authenticated credential directly for authorization (#3525) ### Storage & Write Path - **Full disks no longer cause cluster-wide 507 errors** — A single full disk (exhausted space or inodes) no longer triggers HTTP 507 Insufficient Storage errors for the entire cluster. Full disks are now treated as offline in the write path, allowing writes to proceed as long as enough healthy disks remain to satisfy write quorum (#3520) ### Server Operations - **Fan-out broadcast after pool hot-add** — Fixed a bug where newly added pool nodes were silently excluded from all fan-out/broadcast operations (such as `ServerInfo`) after a SIGHUP-triggered pool hot-reload. New nodes were reachable for point-to-point RPC but the fan-out topology was never rebuilt (#3570) --- ## Improvements - **UpdateObjectEncryption now returns version ID** — The `UpdateObjectEncryption` API response now includes the `x-amz-version-id` header for objects in versioned buckets, eliminating the need for an extra HEAD request after re-encryption operations (#3527) - **Console updated to v0.0.39** — The embedded web console now correctly reflects read-only access based on capability checks and displays a clear error message when attempting to download SSE-C encrypted objects through the UI (#3543) --- ## Security & Compliance ### Software Bill of Materials (SBOM) This release includes comprehensive SBOM documentation in multiple formats: - [SPDX JSON](sbom-RELEASE.2026-03-26T21-24-40Z.spdx.json) - Standard SBOM format - [CycloneDX JSON](sbom-RELEASE.2026-03-26T21-24-40Z.cyclonedx.json) - Security scanner compatible - [Go Modules](go-modules-RELEASE.2026-03-26T21-24-40Z.txt) - Human-readable dependency list SBOM files document all direct and transitive dependencies for security auditing and compliance requirements. --- ## Upgrade Instructions For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/ Platform-specific upgrade guides: - **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-linux/ - **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-kubernetes-helm/ ### Support For enterprise support: - SUBNET Support: https://subnet.min.io - Documentation: https://docs.min.io