CVE-2021-43858

HIGH

MinIO <RELEASE.2021-12-27T07-23-18Z - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-43858. PoCs published by khuntor.

AI-analyzed exploit summary This Go-based exploit demonstrates CVE-2021-43858, a privilege escalation vulnerability in MinIO. It creates a new admin user by exploiting improper access control in the MinIO admin API.

Description

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

Exploits (2)

nomisec WORKING POC

by khuntor · poc

https://github.com/khuntor/CVE-2021-43858-MinIO

View Code ZIP pw:eip

This Go-based exploit demonstrates CVE-2021-43858, a privilege escalation vulnerability in MinIO. It creates a new admin user by exploiting improper access control in the MinIO admin API.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: MinIO (versions affected by CVE-2021-43858)

No auth needed

Prerequisites: Network access to MinIO admin interface · MinIO instance vulnerable to CVE-2021-43858

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/0rx1/cve-2021-43858