RELEASE.2026-04-17T00-00-00Z

RELEASE.2026-04-17T00-00-00Z

2026-04-17: https://github.com/pgsty/minio/releases/tag/RELEASE.2026-04-17T00-00-00Z

This release focuses on security hardening and compatibility tightening. It bundles fixes across OIDC, LDAP STS, S3 Select, replication metadata handling, unsigned-trailer flows, the Snowball upload path, and multiple dependency- and Go toolchain-related security issues, while also incorporating the LDAP TLS regression fix and a cleanup of community-fork documentation.

Major Changes

• Tighten the identity-authentication flow: OIDC / WebIdentity now accepts only asymmetrically signed ID Token values backed by the IdP JWKS; symmetrically signed tokens such as HS256 are no longer accepted. LDAP STS also now hides the distinction between unknown-user and bad-password failures to reduce username-enumeration risk.
• Update LDAP STS rate limiting: limits now apply to both source IP and normalized username, and successful requests no longer consume quota incorrectly. By default MinIO now uses only the socket peer address as the source and no longer trusts X-Forwarded-For, X-Real-IP, or Forwarded; to rate-limit by real client IP, configure MINIO_IDENTITY_LDAP_STS_TRUSTED_PROXIES explicitly.
• Make upload and write paths stricter: presigned query parameters can no longer be combined with unsigned-trailer PUT or multipart uploads. Snowball auto-extract now also performs full signature validation on the unsigned-trailer path and rejects anonymous or forged-signature requests.
• Prevent replication metadata spoofing: internal X-Minio-Replication-* headers attached to ordinary PUT / COPY requests are now rejected or ignored, and only trusted replication flows may write the related internal metadata.
• Clarify S3 Select error semantics: oversized CSV and line-delimited JSON records now return OverMaxRecordSize directly instead of the generic InternalError; clients or alerting rules that depend on the old error code should be adjusted.
• Upgrade the runtime and dependency baseline: fix the regression where ldaps:// did not correctly apply TLS settings, replace minio/pkg/v3 with pgsty/minio-pkg/v3, and pin several critical dependencies that are prone to breaking changes. The release also upgrades go-jose, go.opentelemetry.io, and Go 1.26.2 to unify the build and release baseline.
• Refresh documentation and security guidance: update SECURITY.md, VULNERABILITY_REPORT.md, docs/sts/ldap.md, and related documents, add a security advisory index, and switch upstream minio/minio references in the security guidance over to pgsty/minio.

Fixed CVEs

• CVE-2026-34986: upgrade go-jose to v4.1.4 and fix known security issues in the JWT / JOSE dependency chain.
• CVE-2026-39883: upgrade the go.opentelemetry.io dependency stack to fix the PATH-hijacking risk.
• CVE-2026-33322: restore the strict JWKS-only OIDC JWT verification path to block keyring injection and algorithm-confusion risk.
• CVE-2026-33419: systematically harden LDAP STS authentication, rate limiting, source-address identification, and accounting logic across four follow-up fixes.
• CVE-2026-34204: reject injection of X-Minio-Replication-* metadata by untrusted requests to prevent objects from being written with invalid replication state.
• CVE-2026-39414: reject oversized S3 Select records early to avoid continued buffering and parsing of abnormal inputs.
• GHSA-hv4r-mvr4-25vw: close the unsigned-trailer query-auth bypass.
• GHSA-9c4q-hq6p-c237: harden unsigned-trailer authentication and signature validation in Snowball auto-extract scenarios.
• CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283: upgrade Go to 1.26.2 and absorb the upstream toolchain and stdlib security fixes.

Related Commits

• c878ca0: fix: pin deps with breaking changes and fix LDAP TLS regression (#15)
• e970ec5: fix: upgrade go-jose to v4.1.4 to patch CVE-2026-34986
• a206510: fix: CVE-2026-39883 upgrade go.opentelemetry.io
• fd65f11: merge: PR #18 upgrade go-jose to v4.1.4 for CVE-2026-34986
• bc087e4: merge: PR #19 upgrade go.opentelemetry.io for CVE-2026-39883
• f1f2239: fix: CVE-2026-33322 restore JWKS-only OIDC JWT verification
• 6619d0c: fix: CVE-2026-33419 harden LDAP STS auth
• fcb8f24: fix: CVE-2026-34204 reject untrusted replication metadata
• c5765dc: fix: CVE-2026-39414 reject oversized S3 Select records
• fa7c579: fix: GHSA-hv4r-mvr4-25vw block unsigned-trailer query auth bypass
• b50ab58: fix: GHSA-9c4q-hq6p-c237 harden Snowball unsigned-trailer auth
• 9a4b3cd: fix: CVE-2026-32280/CVE-2026-32281/CVE-2026-32283 upgrade Go to 1.26.2
• c55b52c: fix: CVE-2026-33419 preserve LDAP STS rate limits on success
• 817a457: fix: CVE-2026-33419 harden LDAP STS rate-limit source IP
• 084a154: fix: CVE-2026-33419 tighten LDAP STS rate-limit accounting
• 16e34f9: docs: refresh security guidance and fork references

RELEASE.2026-03-25T00-00-00Z

This release is mainly a packaging and stability update. It bundles mcli/mc into the Docker image with checksum verification, removes unused upstream CI/CD workflows from the pgsty/minio fork, and fixes an LDAP TLS regression for ldaps:// while pinning several dependencies to avoid compatibility breakage. (#15)

• This release fixes three security vulnerabilities: CVE-2026-24051, CVE-2025-10543, and CVE-2025-58181.
• The fixes are included through dependency updates to go.opentelemetry.io/otel/sdk, github.com/eclipse/paho.mqtt.golang, and golang.org/x/crypto.
• Users should upgrade to this release to receive the patched versions of these components.

Changelog

• f2f9a40 add mcli/mc from pgsty/mc to Docker image
• ce1c537 fix: pin deps with breaking changes and fix LDAP TLS regression (#15)
• ee55e53 remove upstream CI/CD workflows inherited from minio/minio

RELEASE.2026-03-21T00-00-00Z

This release upgrades MinIO to Go 1.26.1, updates dependencies, and includes small compatibility fixes needed for the newer toolchain. No new features are introduced; this is primarily a maintenance and build-environment update.

Changelog

• 5abd9a8 bump golang to 1.26.1 and update deps
• 377fc61 fix: satisfy stricter Go 1.26.1 linter checks

RELEASE.2026-03-14T12-00-00Z

RELEASE.2026-03-14T12-00-00Z with go 1.26.0

Switch to community-maintained console fork (georgmangold/console v1.9.1)
and update dependencies accordingly. Fix go vet format directive in
grid_test.go and adapt test status code for Go 1.26 HTTP semantics.

RELEASE.2026-02-14T12-00-00Z

Docs | Docker | GitHub

Quick apt/dnf instsall with pig the package manager from the pigsty-infra repo

curl https://repo.pigsty.cc/pig | bash
pig repo add infra -u; pig install minio

Changelog

• 8630937 Restore embedded console and update README for community fork
• 5d57938 add github ci/cd pipeline

RELEASE.2025-12-03T12-00-00Z

Build with minio/pkger, based on the latest maintenance mode release.

1f6c050895cbdd63ce2ace487663cdf6  minio_20251203120000.0.0_aarch64.apk
98212a28ced6303f7e9525a8c0e177fd  minio_20251203120000.0.0_amd64.deb
c428933cabf959e1b426cc608e104994  minio_20251203120000.0.0_arm64.deb
d5968dd81766acd5c72f9eca889ba617  minio_20251203120000.0.0_x86_64.apk
79a65646ce1219ee06f0e93cb0f43528  minio-20251203120000.0.0-1.aarch64.rpm
42de8d7eb4e3d2f06cb4f88577a26f8c  minio-20251203120000.0.0-1.x86_64.rpm