CVE-2026-41145

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allows any user who knows a valid access key to write arbitrary...

Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.

Impact Unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where: - the vulnerable homeserver is in the room; and - untrusted users are permitted to create groups communities. By defaul...