# MinIO AIStor EDGE.2026-07-10T05-23-15Z

Released: 2026-07-10

This edge release introduces a new S3 object annotations API and SPIFFE
workload-identity authentication, along with an untier batch job for warm-to-hot
repatriation and expanded network observability metrics. It hardens data
durability with quorum-based version reconciliation and bitrot deep-scan repair,
moves the S3-over-RDMA server onto an AIStor-native RDMA library, ships several
AIStor Tables reliability and encryption improvements, and resolves multiple
security advisories.

---

## Downloads

### Binary Downloads

| Platform | Architecture | Download                                                                   |
| -------- | ------------ | -------------------------------------------------------------------------- |
| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/edge/linux-amd64/minio)             |
| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/edge/linux-arm64/minio)             |
| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/edge/darwin-arm64/minio)            |
| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/edge/darwin-amd64/minio)            |
| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/edge/windows-amd64/minio.exe)   |

### FIPS Binaries

| Platform | Architecture | Download                                                                       |
| -------- | ------------ | ------------------------------------------------------------------------------ |
| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/edge/linux-amd64/minio.fips)       |
| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/edge/linux-arm64/minio.fips)       |

### Package Downloads

| Format | Architecture | Download                                                                                                                        |
| ------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------- |
| DEB    | amd64        | [minio\_20260710052315.0.0_amd64.deb](https://dl.min.io/aistor/minio/edge/linux-amd64/minio_20260710052315.0.0_amd64.deb)       |
| DEB    | arm64        | [minio\_20260710052315.0.0_arm64.deb](https://dl.min.io/aistor/minio/edge/linux-arm64/minio_20260710052315.0.0_arm64.deb)       |
| RPM    | amd64        | [minio-20260710052315.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/edge/linux-amd64/minio-20260710052315.0.0-1.x86_64.rpm)  |
| RPM    | arm64        | [minio-20260710052315.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/edge/linux-arm64/minio-20260710052315.0.0-1.aarch64.rpm) |

### Container Images

```bash
# Standard
docker pull quay.io/minio/aistor/minio:EDGE.2026-07-10T05-23-15Z
podman pull quay.io/minio/aistor/minio:EDGE.2026-07-10T05-23-15Z

# FIPS
docker pull quay.io/minio/aistor/minio:EDGE.2026-07-10T05-23-15Z.fips
podman pull quay.io/minio/aistor/minio:EDGE.2026-07-10T05-23-15Z.fips
```

Note: Homebrew is only available for RELEASE builds, not EDGE builds.

---

## Security Updates

- Upgraded quic-go to v0.59.1 to fix an HTTP/3 QPACK trailer-expansion memory
  exhaustion vulnerability — GO-2026-5676 / CVE-2026-40898 / GHSA-vvgj-x9jq-8cj9
  (#6230).
- Delta Sharing presigned-URL tokens are now scoped to a single table, preventing
  a token from being reused to access other shared tables (#6009).
- Inventory Iceberg jobs that create or write warehouses now enforce s3tables
  authorization, closing a privilege gap (#5822).
- Hardened AIStor Tables admin and replication paths with audit logging of
  privileged operations, peer-call timeouts, and bounded response reads to resist
  hangs and memory exhaustion (#6194).

---

## New Features

- **S3 Object Annotations API**: New `PutObjectAnnotation`,
  `GetObjectAnnotation`, `ListObjectAnnotations`, and `DeleteObjectAnnotation`
  operations let applications attach and manage custom, version-keyed metadata
  annotations on objects without modifying the object or its ETag (#5938).
- **SPIFFE workload identity**: `AssumeRoleWithCertificate` can now map a client
  certificate's `spiffe://` URI to an S3 policy by workload path, enabling
  standards-based workload authentication alongside existing CommonName-based
  clients, with optional multi-trust-domain support (#5984).
- **Untier batch job**: New `mc batch start` untier job repatriates tiered
  objects from warm storage back to local hot-tier storage, reversing ILM
  transitions with same-pool and cross-pool migration paths and crash-recovery
  resume (#5620).
- **Network observability metrics**: Added per-interface bandwidth, socket, and
  network-stack statistics under metrics v3 for deeper cluster network monitoring
  (#5719).
- **Licensed-capacity alert**: Operators now receive an alert when cluster usage
  reaches 70% of licensed capacity, giving earlier warning before the limit
  (#6150).
- **Tables encryption UI**: Added a console interface to configure encryption for
  AIStor Tables warehouses (#6122).
- **Tables snapshot history pagination**: Table snapshot history is now paginated
  in the console, making large snapshot histories usable (#5977).
- **Tables UFR controls**: Added Unreferenced File Removal (UFR) configuration for
  AIStor Tables warehouses in the console (#6002).

---

## Performance Improvements

- Sharded multi-path namespace locks across lock-server shards, improving lock
  throughput and reducing contention on bulk operations (#6231).
- Sharded object-annotation storage 65,536 ways so annotation directories no
  longer accumulate millions of entries at scale (#6093).
- Added row virtualization to the object browser table for smooth rendering of
  very large object listings (#6047).

---

## Bug Fixes

### Data Durability & Healing

- Object version listings now reconcile across a quorum of drives instead of
  trusting a first responder, preventing stale or incomplete version results when
  a drive lags (#6225).
- Healing now breaks ETag ties in favor of the newest data version, avoiding
  restoration of stale object content (#6105).
- Healing performs a deep-scan read-repair to reconstruct objects whose shards are
  bitrot-corrupted, improving data durability (#6123).
- Heal worker counts are now validated against an upper bound, preventing
  misconfiguration that could destabilize healing (#6103).

### S3 API & Encryption

- Requests for tampered encrypted objects now return a clear `400` error instead
  of a misleading `206` partial-content response (#6113).
- The copied part checksum is now returned in `UploadPartCopy`, so checksummed
  server-side multipart copies complete instead of failing with `InvalidPart`
  (#6086).
- Unparseable part ETags are now rejected in `CompleteMultipartUpload`, preventing
  malformed multipart completions (#6078).

### AIStor Tables

- The table catalog now prunes stale entries after a cross-namespace rename,
  preventing orphaned metadata (#6126).
- Fixed a concurrency race in Tables catalog property writes by locking on the
  encoded object name, preventing lost updates (#6127).
- Tables compaction now retries commits on conflict, improving reliability under
  concurrent writes (#6056).
- Prevented Tables compaction from running twice when manually triggered during an
  active cycle (#6112).
- Table maintenance configuration is now protected by system lifecycle rules so it
  is no longer incorrectly expired (#6030).
- Fixed cache encryption settings not applying correctly to scanner-discovered
  table warehouses (#6027).
- Orphaned table data files are now reclaimed on site-replication replicas,
  recovering wasted storage (#5974).

### Configuration & Platform

- Negative network timeout durations are now rejected at startup with a clear
  error instead of being silently ignored (#6077).
- Negative excess-versions/folders alert thresholds are now rejected at config
  load, preventing a typo from flooding the alert subsystem (#6076).
- Fixed a server crash on Apple M5 Pro hardware by upgrading the CPU-detection
  dependency (#6135).
- Improved internode RDMA reliability with a credit-resilience fix in the vendored
  RDMA library (#6070).

### Console

- Bucket monitoring charts now render cleanly when metrics have empty or zero
  values instead of showing broken data (#6214).
- The loading spinner is now visible in light mode (#6239).
- Console tables and replication forms now reliably reflect submitted changes and
  no longer leave stale state after mutations (#6176).
- Table replication status now displays correctly when a replica peer is down
  (#6109).
- Adding a site-replication peer no longer forces the operation, avoiding
  unintended overwrites (#6088).
- Removed the inapplicable action button from the Tables Replication page (#6023).

---

## Improvements

- **Drive cache defaults**: Drive cache is now auto-enabled on nodes with 256 GiB
  or more of memory (sized at 10% of RAM, tunable up to a 25% cap), with live
  cache-entry counts exposed via `mc admin info` and a new Prometheus gauge
  (#6237).
- **Humanized config sizes**: The v3 server config file now accepts humanized byte
  sizes (e.g. `10GiB`) for size settings (#6174).
- **Crash-recoverable decommission**: Pool decommission now runs on a distributed
  job framework, so it survives node restarts and resumes automatically (#3068).
- **AIStor-native S3-over-RDMA server**: The server-side S3-over-RDMA
  implementation now uses AIStor's own RDMA library in place of NVIDIA's
  proprietary `libcuobjserver`, for both data-center and remote-client paths. The
  wire protocol is unchanged, so existing cuObject clients interoperate without
  modification (#6049).
- **Iceberg v3 compaction**: Table compaction now supports Iceberg v3 tables
  (#5717).
- **Replica write protection**: Writes to Iceberg tables are now correctly blocked
  on replica clusters, keeping replicated warehouses read-only (#5722).
- **QoS trace visibility**: QoS rate-limit rejections (HTTP `429`) now appear in
  server trace output for easier throttling diagnosis (#6144).
- **Hot-pool expansion metric**: Added a metric surfacing hot-pool-expansion
  rejections during rebalance so operators can observe rejected reloads directly
  (#6136).
- **MCP structured content**: MCP tools now return structured content, improving
  reliability of AI/agent integrations (#6099).
- **External KMS status**: The console now displays external KMS endpoint health,
  including clear reporting of partial connection failures (#5296).
- **Home dashboard redesign**: The console Home dashboard now shows 24-hour
  activity trends and hardware-utilization charts (#6094).
- **KMS page redesign**: Reworked the KMS settings page with a clearer enable flow
  and confirmation dialog (#6100).
- **Network monitoring redesign**: Corrected network chart alignment and added
  per-NIC bandwidth and time-to-first-byte charts (#5945).
- **Site replication UX**: Refreshed the site-replication setup, status, and
  statistics views for clearer configuration and monitoring (#6182, #6143, #6171).
- **Anonymous access page**: Reworked the Anonymous Access page with clearer,
  more accurate access-level options (#6069).
- **Batch job listings**: Redesigned batch job listings into a clearer horizontal
  tile layout (#6216).
- **Notifications page**: The Notifications page now uses tabs instead of
  clickable stat tiles for clearer navigation (#6202).

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-EDGE.2026-07-10T05-23-15Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-EDGE.2026-07-10T05-23-15Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-EDGE.2026-07-10T05-23-15Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing
and compliance requirements.

---

## Upgrade Instructions

For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/

Platform-specific upgrade guides:

- **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-linux/
- **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-kubernetes-helm/

### New Configuration Options

- `MINIO_CACHE_ENABLE` is now auto-enabled on nodes with ≥ 256 GiB memory; an
  explicit value still takes precedence. `MINIO_CACHE_SIZE` defaults to 10% of
  node memory and may be raised up to a 25% cap (#6237).
- `MINIO_IDENTITY_TLS_SPIFFE_MULTI_DOMAIN` qualifies SPIFFE policy names with the
  trust domain to support client certificates from multiple trust domains (#5984).
- The v3 config file now accepts humanized byte-size values (e.g. `10GiB`) (#6174).

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io
