RELEASE.2026-04-17T00-00-00Z

[Vonng]

2026-04-17: https://github.com/pgsty/minio/releases/tag/RELEASE.2026-04-17T00-00-00Z

This release is centered on security hardening. It closes multiple issues across OIDC, LDAP STS, S3 Select, replication metadata handling, unsigned-trailer authentication, Snowball upload flows, and dependency plus Go toolchain security maintenance, while also folding in dependency governance, the LDAP TLS regression fix, and a refresh of fork-specific security documentation.

Fixed CVEs

• CVE-2026-34986: upgrade go-jose to v4.1.4 and pick up the JWT / JOSE dependency-side security fix.
• CVE-2026-39883: upgrade the go.opentelemetry.io stack to fix the PATH-hijacking issue.
• CVE-2026-33322: restore strict JWKS-only OIDC JWT verification and eliminate keyring injection / algorithm confusion risk.
• CVE-2026-33419: harden LDAP STS authentication, source-IP handling, rate limiting, and accounting across four follow-up fixes.
• CVE-2026-34204: reject untrusted X-Minio-Replication-* metadata so objects cannot be forced into invalid replication state.
• CVE-2026-39414: reject oversized S3 Select records early to avoid repeated buffering and parsing of malicious inputs.
• GHSA-hv4r-mvr4-25vw: block the unsigned-trailer query-auth bypass path.
• GHSA-9c4q-hq6p-c237: harden unsigned-trailer authentication and signature validation in the Snowball auto-extract path.
• CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283: upgrade Go to 1.26.2 and absorb the upstream toolchain / stdlib fixes.

Major Changes

• Fix the LDAP TLS regression and reduce dependency risk by replacing minio/pkg/v3 with pgsty/minio-pkg/v3 and pinning a set of dependencies with known breaking-change behavior.
• Complete the key dependency security upgrades by moving to go-jose v4.1.4 and newer go.opentelemetry.io components, while preserving the upstream merge lineage in history.
• Harden the OIDC verification pipeline by restoring strict JWKS-only JWT verification and limiting accepted algorithms to the asymmetric JWKS-backed path.
• Systematically strengthen LDAP STS by normalizing failure responses, adding source-IP and normalized-username rate limiting, fixing successful-request accounting, removing trust in forgeable forwarding headers, and extending trusted-proxy / regression coverage.
• Close object-write and replication-path issues by rejecting untrusted replication metadata, blocking the unsigned-trailer query-auth bypass, and tightening Snowball auto-extract authentication and signature checks.
• Improve S3 Select robustness and observability by rejecting oversized CSV and line-delimited JSON records early and returning a clear OverMaxRecordSize error.
• Upgrade the build and runtime baseline to Go 1.26.2 and refresh the corresponding build-image references.
• Refresh SECURITY.md, VULNERABILITY_REPORT.md, docs/sts/ldap.md, and related fork-specific references so the documentation matches the community-maintained ownership model.