CVE-2022-35919

HIGH

MinIO < 2022-07-29T19-40-48Z - Path Traversal via ServerUpdate API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-35919. PoCs published by Jenson Zhao, Immer5ion, ifulxploit.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in Minio (CVE-2022-35919) to read the contents of /etc/passwd by sending a crafted POST request to the admin update endpoint. It uses AWS Signature Version 4 for authentication and parses the response to extract user data.

Description

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.

Exploits (3)

exploitdb WORKING POC
by Jenson Zhao · pythonwebappsgo
https://www.exploit-db.com/exploits/51734

This exploit leverages a path traversal vulnerability in Minio (CVE-2022-35919) to read the contents of /etc/passwd by sending a crafted POST request to the admin update endpoint. It uses AWS Signature Version 4 for authentication and parses the response to extract user data.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Minio versions up to (excluding) 2022-07-29T19-40-48Z
Auth required
Prerequisites: valid Minio credentials (AccessKey and SecretKey) · network access to the Minio admin endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Immer5ion · pythonpoc
https://github.com/Immer5ion/cve_poc/tree/main/cve-2022-35919.py

This PoC exploits a path traversal vulnerability in Minio's admin API to read arbitrary files (e.g., /etc/passwd) by crafting authenticated requests with AWS Signature V4 signing. It demonstrates the vulnerability by parsing and displaying the contents of the targeted file.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Minio versions before 2022-07-29T19-40-48Z
Auth required
Prerequisites: valid Minio credentials (AccessKey and SecretKey) · network access to the Minio admin API
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by ifulxploit · poc
https://github.com/ifulxploit/Minio-Security-Vulnerability-Checker

This repository contains a functional exploit PoC for CVE-2022-35919, which targets Minio's admin API to leak the contents of /etc/passwd. The script constructs a malicious URL, signs it with AWS Signature V4, and sends a POST request to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Minio (version not specified)
Auth required
Prerequisites: Valid Minio AccessKey and SecretKey · Target URL with Minio admin API accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.4
EPSS 0.5233
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (1)
minio/minio < 2022-07-29t19-40-48z
Published Aug 01, 2022
Tracked Since Feb 18, 2026