CVE-2026-34204

HIGH

MinIO is Vulnerable to SSE Metadata Injection via Replication Headers

Title source: cna

Description

MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.

References (1)

[X_Refsource_Confirm] https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9

Scores

CVSS v3 7.1

EPSS 0.0003

EPSS Percentile 7.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (3)

minio/minio < 2026-03-26t21-24-40z

minio/minio 0.0.0-20240328174456-468a9fae83e9Go

minio/minio < RELEASE.2026-03-26T21-24-40Z

Published Mar 31, 2026

Tracked Since Apr 01, 2026