Release Note

Major Changes

• Tighten the identity-authentication flow: OIDC / WebIdentity now accepts only asymmetrically signed ID Token values backed by the IdP JWKS; symmetrically signed tokens such as HS256 are no longer accepted. LDAP STS also now hides the distinction between unknown-user and bad-password failures to reduce username-enumeration risk.

• Update LDAP STS rate limiting: limits now apply to both source IP and normalized username, and successful requests no longer consume quota incorrectly. By default MinIO now uses only the socket peer address as the source and no longer trusts X-Forwarded-For, X-Real-IP, or Forwarded; to rate-limit by real client IP, configure MINIO_IDENTITY_LDAP_STS_TRUSTED_PROXIES explicitly.

• Make upload and write paths stricter: presigned query parameters can no longer be combined with unsigned-trailer PUT or multipart uploads. Snowball auto-extract now also performs full signature validation on the unsigned-trailer path and rejects anonymous or forged-signature requests.

• Prevent replication metadata spoofing: internal X-Minio-Replication-* headers attached to ordinary PUT / COPY requests are now rejected or ignored, and only trusted replication flows may write the related internal metadata.

• Clarify S3 Select error semantics: oversized CSV and line-delimited JSON records now return OverMaxRecordSize directly instead of the generic InternalError; clients or alerting rules that depend on the old error code should be adjusted.

• Upgrade the runtime and dependency baseline: fix the regression where ldaps:// did not correctly apply TLS settings, replace minio/pkg/v3 with pgsty/minio-pkg/v3, and pin several critical dependencies that are prone to breaking changes. The release also upgrades go-jose, go.opentelemetry.io, and Go 1.26.2 to unify the build and release baseline.

• Refresh documentation and security guidance: update SECURITY.md, VULNERABILITY_REPORT.md, docs/sts/ldap.md, and related documents, add a security advisory index, and switch upstream minio/minio references in the security guidance over to pgsty/minio.

Fixed CVEs

• CVE-2026-34986: upgrade go-jose to v4.1.4 and fix known security issues in the JWT / JOSE dependency chain.

• CVE-2026-39883: upgrade the go.opentelemetry.io dependency stack to fix the PATH-hijacking risk.

• CVE-2026-33322: restore the strict JWKS-only OIDC JWT verification path to block keyring injection and algorithm-confusion risk.

• CVE-2026-33419: systematically harden LDAP STS authentication, rate limiting, source-address identification, and accounting logic across four follow-up fixes.

• CVE-2026-34204: reject injection of X-Minio-Replication-* metadata by untrusted requests to prevent objects from being written with invalid replication state.

• CVE-2026-39414: reject oversized S3 Select records early to avoid continued buffering and parsing of abnormal inputs.

• GHSA-hv4r-mvr4-25vw: close the unsigned-trailer query-auth bypass.

• GHSA-9c4q-hq6p-c237: harden unsigned-trailer authentication and signature validation in Snowball auto-extract scenarios.

• CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283: upgrade Go to 1.26.2 and absorb the upstream toolchain and stdlib security fixes.

Related Commits

• c878ca0: fix: pin deps with breaking changes and fix LDAP TLS regression (#15)

• e970ec5: fix: upgrade go-jose to v4.1.4 to patch CVE-2026-34986

• a206510: fix: CVE-2026-39883 upgrade go.opentelemetry.io

• fd65f11: merge: PR #18 upgrade go-jose to v4.1.4 for CVE-2026-34986

• bc087e4: merge: PR #19 upgrade go.opentelemetry.io for CVE-2026-39883

• f1f2239: fix: CVE-2026-33322 restore JWKS-only OIDC JWT verification

• 6619d0c: fix: CVE-2026-33419 harden LDAP STS auth

• fcb8f24: fix: CVE-2026-34204 reject untrusted replication metadata

• c5765dc: fix: CVE-2026-39414 reject oversized S3 Select records

• fa7c579: fix: GHSA-hv4r-mvr4-25vw block unsigned-trailer query auth bypass

• b50ab58: fix: GHSA-9c4q-hq6p-c237 harden Snowball unsigned-trailer auth

• 9a4b3cd: fix: CVE-2026-32280/CVE-2026-32281/CVE-2026-32283 upgrade Go to 1.26.2

• c55b52c: fix: CVE-2026-33419 preserve LDAP STS rate limits on success

• 817a457: fix: CVE-2026-33419 harden LDAP STS rate-limit source IP

• 084a154: fix: CVE-2026-33419 tighten LDAP STS rate-limit accounting

• 16e34f9: docs: refresh security guidance and fork references

Major Changes

• Bundle mcli/mc into the Docker image and add checksum verification for a better out-of-the-box image experience.

• Fix the LDAP TLS regression affecting ldaps:// deployments so TLS settings are correctly honored.

• Remove inherited upstream CI/CD workflows that are no longer used in the community-maintained fork.

• Pin several critical dependencies to avoid further fallout from upstream breaking changes.

Fixed CVEs

• CVE-2026-24051: the release notes explicitly call out go.opentelemetry.io/otel/sdk v1.42.0, which avoids the macOS PATH-hijacking arbitrary code execution issue.

• CVE-2025-10543: the release notes explicitly ship github.com/eclipse/paho.mqtt.golang v1.5.1, fixing incorrect MQTT packet encoding for oversized UTF-8 strings.

• CVE-2025-58181: the release notes explicitly ship golang.org/x/crypto v0.49.0, fixing unbounded memory consumption in ssh GSSAPI authentication handling.

Related Commits

• f2f9a40: add mcli/mc from pgsty/mc to Docker image

• ce1c537: fix: pin deps with breaking changes and fix LDAP TLS regression (#15)

• ee55e53: remove upstream CI/CD workflows inherited from minio/minio

Major Changes

• Upgrade the build environment from Go 1.26.0 to Go 1.26.1.

• Refresh direct and indirect dependencies to converge on the newer toolchain.

• Fix linter and test issues exposed by the stricter Go 1.26.1 checks.

Fixed CVEs

• CVE-2026-27137: Go stdlib 1.26.0 -> 1.26.1 fixes incomplete email-constraint enforcement in crypto/x509.

• CVE-2026-27138: Go stdlib 1.26.0 -> 1.26.1 fixes a crypto/x509 panic triggered by malformed certificates.

• CVE-2026-25679: Go stdlib 1.26.0 -> 1.26.1 fixes insufficient validation of IPv6 host literals in net/url.

• CVE-2026-27139: Go stdlib 1.26.0 -> 1.26.1 fixes FileInfo metadata escaping the Root boundary in os.

• CVE-2026-27142: Go stdlib 1.26.0 -> 1.26.1 fixes missing URL escaping in html/template for meta refresh content.

• CVE-2026-26958: filippo.io/edwards25519 v1.1.0 -> v1.2.0 fixes incorrect or undefined MultiScalarMult behavior.

• CVE-2025-10543: github.com/eclipse/paho.mqtt.golang v1.5.0 -> v1.5.1 fixes incorrect MQTT packet encoding for oversized UTF-8 strings.

• CVE-2026-24051: go.opentelemetry.io/otel/sdk v1.38.0 -> v1.42.0 fixes the macOS PATH-hijacking arbitrary code execution issue.

• CVE-2026-33186: google.golang.org/grpc v1.77.0 -> v1.79.3 fixes authorization bypass caused by a missing leading slash in the HTTP/2 :path pseudo-header.

Related Commits

• 5abd9a8: bump golang to 1.26.1 and update deps

• 377fc61: fix: satisfy stricter Go 1.26.1 linter checks

Major Changes

• Switch to the community-maintained georgmangold/console v1.9.1 fork in place of the unmaintainable upstream Console dependency.

• Refresh a large portion of the direct and indirect dependency graph so the new Console and toolchain combination builds cleanly.

• Fix the go vet format directive issue in grid_test.go and adjust tests for the HTTP behavior changes in Go 1.26.

Fixed CVEs

• CVE-2025-47913: golang.org/x/crypto v0.37.0 -> v0.46.0 fixes a panic in ssh/agent when handling malformed responses.

• CVE-2025-58181: golang.org/x/crypto v0.37.0 -> v0.46.0 fixes unbounded memory consumption in ssh GSSAPI authentication parsing.

• CVE-2025-47914: golang.org/x/crypto v0.37.0 -> v0.46.0 fixes a panic in ssh/agent caused by malformed identity messages.

• CVE-2025-47911: golang.org/x/net v0.39.0 -> v0.48.0 fixes quadratic parsing complexity in html.Parse for crafted inputs.

• CVE-2025-58190: golang.org/x/net v0.39.0 -> v0.48.0 fixes an infinite parsing loop in golang.org/x/net/html.

Related Commits

• 68521b3: add github ci/cd pipeline

• 00f3cf7: RELEASE.2026-03-14T12-00-00Z with go 1.26.0

Major Changes

• Restore the embedded Console and refresh the README to clarify the community fork position.

• Add GitHub CI/CD workflows as the base for automated builds and multi-platform delivery.

• Add quick links for docs, Docker, the GitHub repository, and installation through the pig package manager.

Fixed CVEs

These issues were absorbed as part of the Go 1.25.5 -> 1.26.0 upgrade:

• CVE-2025-68121: crypto/tls could incorrectly accept mutated CA configuration during session resumption.

• CVE-2025-61730: TLS 1.3 could process handshake messages incorrectly across encryption-level boundaries.

• CVE-2025-61726: net/url query parsing could be abused for memory exhaustion.

• CVE-2025-61728: archive/zip could consume excessive CPU while building archive indexes.

• CVE-2025-68119: cmd/go could trigger unexpected code execution when invoking external VCS tooling.

• CVE-2025-61731: the #cgo pkg-config: directive could be abused for arbitrary file writes.

• CVE-2025-61732: cmd/cgo comment parsing discrepancies could enable code smuggling.

Related Commits

• 8630937: Restore embedded console and update README for community fork

• 5d57938: add github ci/cd pipeline

Major Changes

• Build the community packaging flow around minio/pkger.

• Choose a maintenance-mode upstream MinIO baseline as the starting point for the community-maintained fork.

• Produce the first apk, deb, and rpm artifacts for ongoing community releases.

Fixed CVEs

• This is the first community release. The GitHub Release does not provide a delta-style security-fix list against an earlier community version, and this page does not attempt to reconstruct the full historical CVE delta against the upstream maintenance baseline.

Related Commits

• d4cd4b4: RELEASE.2025-12-03T12-00-00Z with go 1.25.5