# MinIO AIStor RELEASE.2026-05-28T20-50-32Z

Released: 2026-05-29

This release is a security-focused update that closes multiple access-control, request-authorization, and denial-of-service vulnerabilities across the S3 API, STS/OpenID identity flows, admin endpoints, and the S3 zip and S3 Select code paths. It also corrects licensed storage-capacity enforcement so that exceeding the licensed capacity now correctly places the cluster into read-only mode, adds proactive usage warnings, improves authorization performance through a new policy-evaluation cache, and adds a configurable SUBNET auto-renewal flag. All deployments are encouraged to upgrade promptly.

---

## Downloads

### Binary Downloads

| Platform | Architecture | Download                                                                           |
| -------- | ------------ | ---------------------------------------------------------------------------------- |
| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio)                  |
| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio)                  |
| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio)                 |
| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio)                 |
| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe)        |

### FIPS Binaries

| Platform | Architecture | Download                                                                           |
| -------- | ------------ | ---------------------------------------------------------------------------------- |
| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips)        |
| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips)        |

### Package Downloads

| Format | Architecture | Download                                                                                                                              |
| ------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
| DEB    | amd64        | [minio\_20260528205032.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260528205032.0.0_amd64.deb)          |
| DEB    | arm64        | [minio\_20260528205032.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260528205032.0.0_arm64.deb)          |
| RPM    | amd64        | [minio-20260528205032.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260528205032.0.0-1.x86_64.rpm)     |
| RPM    | arm64        | [minio-20260528205032.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260528205032.0.0-1.aarch64.rpm)   |

### Container Images

```bash
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-05-28T20-50-32Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-05-28T20-50-32Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-05-28T20-50-32Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-05-28T20-50-32Z.fips
```

### Homebrew (macOS)

```bash
brew install minio/aistor/minio
```

---

## Security Updates

This release addresses a broad set of vulnerabilities. Prompt upgrade is strongly recommended.

### Access Control & Authorization

- Fixed a bucket policy bypass where the `s3:ExistingObjectTag` condition could be circumvented by supplying an `X-Amz-Tagging` header on `GetObject`, allowing requests to evade tag-based policy restrictions (#5188).
- Hardened the replication header-injection fix (GHSA-3rh2-v3gr-35p9 / CVE-2026-34204) by gating the server-side-encryption metadata rewrite on an explicit `s3:ReplicateObject` authorization check, closing a residual path from the original fix (#4868).
- `PutObjectFanOut` now authorizes each fan-out destination individually, preventing writes to objects the caller is not permitted to modify (#5044).
- Bound STS `AssumeRoleWithWebIdentity` so it only falls back to claim-based role resolution for a specifically configured role ARN, preventing unintended role assumption in multi-provider setups (#5365).
- In multi-OIDC deployments, JWTs are now bound to their issuing provider, preventing a token from one configured provider from being accepted by another (#5085).

### Request Authentication

- Rejected malformed authentication on unsigned-trailer `PUT` requests, closing an authentication-handling gap (#5079).
- STS login now treats access tokens as opaque strings rather than attempting to parse them, while retaining JWT-specific validation when the token is a JWT (#5042).

### Unauthenticated Admin Endpoints

- Closed unauthenticated access to the site-replication `devnull` and `netperf` admin endpoints (#5127).
- Fixed a server-side request forgery (SSRF) vulnerability in the admin `ServerUpdate` handler (#4972).

### Denial of Service (Resource Exhaustion)

- Rejected negative `pageSize` values in tables (Iceberg) pagination. A negative value wrapped to a multi-billion element allocation (~224 GiB), crashing the server via an unrecoverable out-of-memory condition (#4956).
- Bounded JSON S3 Select line reads to 128 KB, preventing unbounded memory growth and server crashes when processing single-line JSON inputs. This applies the same hardening previously used for the CSV reader (CVE-2026-39414) to the JSON reader (#4975).
- Fixed a `uint64` overflow in the S3 zip handler that produced a negative `Content-Length`, hardening archive handling against malformed inputs (#4951).

### S3 Zip Archive Handling

- S3 zip archive listing now requires `GetObject` permission, preventing unauthorized enumeration of archive contents (#5168).
- Ensured S3 zip object metadata is encrypted consistently (#5171).
- S3 zip parser errors are now persisted so failures are surfaced rather than silently dropped (#5175).

### Dependency & Toolchain Security

- Updated the Go toolchain to 1.26.3, which resolves multiple standard-library vulnerabilities including issues in `net/http` and `net/http/httputil` (GO-2026-4986, 4982, 4981, 4980, 4977, 4976, 4971, 4918).
- Bumped `golang.org/x/crypto` to v0.52.0.

---

## New Features

### Licensed Capacity Usage Warnings

A periodic monitor now logs a warning when cluster usage reaches 85% of the licensed storage capacity and an error at 95%, giving operators advance notice before usage reaches the licensed limit.

### Configurable SUBNET Auto-Renewal

Added a `renewal` boolean (default on) to the SUBNET configuration. When set to off, the daily automatic license renewal from SUBNET is skipped and the `license_renewal_status` Prometheus metric reports `disabled`. Auto-renewal failures are no longer logged in this mode (#4387). Override via `MINIO_SUBNET_RENEWAL=off`.

### Clearer Offline License Errors

S3 operations in offline mode now return distinct, actionable error messages depending on whether no license was ever installed versus a license that has fully expired, guiding operators to install or restore a valid license with `mc license update` (#4252).

---

## Performance Improvements

- Added a cache for merged policy mappings, reducing repeated policy-merge work during `IsAllowed` authorization checks and improving request authorization performance in deployments with many policies (#3513).
- Corrected an inverted condition in the grid JSON pool buffer-size hint so the serialization buffer is sized from the actual marshaled payload, avoiding mis-sized allocations on the RPC path (#5010).

---

## Bug Fixes

### Licensing

- Licensed storage-capacity enforcement now takes effect correctly. When cluster usage exceeds the licensed capacity, write and other mutating operations are rejected and the cluster operates in read-only mode, while reads and administrative operations continue to function normally (#5076).

### Erasure Coding & Storage

- Track usable-capacity offsets per (pool, set) rather than per pool, correcting capacity accounting in multi-set deployments (#5321).
- Reconcile all pools and preserve the pool index after a stripe-size regroup, preventing misattribution of data across pools during expansion (#5290).
- Added a missing bounds check on the pool index in `updatePoolStats`, preventing a potential out-of-range panic (#3991).
- Prevented a panic and a silent "OK" overwrite in the erasure-healing write-distribution check (#4860).
- Improved dangling-object detection logging to include bucket/object names and a per-error breakdown for faster diagnosis (#4926).

### Identity (LDAP)

- Fixed an LDAP normalization race during startup that could occur before identity initialization completed (#5344).
- Deferred LDAP bind failures so IAM initialization can complete, preventing a single bind error from blocking identity setup (#5222).

### Replication

- Filtered legacy multipart checksums that lack a checksum value, preventing replication errors on objects created by older versions (#4835).
- Cleared inherited replication state on `CopyObject` destinations so copied objects no longer carry stale replication status from the source (#4916).

### Object Listing & Caching

- Reset the loaded-part state in the `ObjectNotFound` retry handler during listing, avoiding stale part data on retry (#4891).

### Logging Noise Reduction

- Suppressed non-actionable KMS decryption errors in parts-checksum logging (e.g., stale KMS headers on non-KMS objects) (#5048).
- Removed the `send_channel_full` log spam from global queue send paths (#5045).
- Stripped the deprecated `logger_webhook:subnet` target on startup so it no longer produces warnings (#5084).

---

## Improvements

- Improved API versioning error messages and added supporting documentation to help operators diagnose version-related request failures (#5106).

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-RELEASE.2026-05-28T20-50-32Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-RELEASE.2026-05-28T20-50-32Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-RELEASE.2026-05-28T20-50-32Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing and compliance requirements.

---

## Upgrade Instructions

For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/

Platform-specific upgrade guides:

- **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-linux/
- **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-kubernetes-helm/

### New Configuration Options

- `subnet renewal` (boolean, default on) — controls daily automatic license renewal from SUBNET. Environment override: `MINIO_SUBNET_RENEWAL=off`.

### Migration Notes

- Licensed storage-capacity enforcement now works as intended (#5076): clusters whose usage exceeds the licensed capacity will operate in read-only mode until usage is reduced or the license capacity is increased. Confirm that your used capacity is within your licensed entitlement, watch for the new warnings emitted at 85% and 95% of licensed capacity, and contact SUBNET support to adjust your entitlement if needed.

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io