GHSA-3RH2-V3GR-35P9

Vulnerability from github – Published: 2026-03-27 22:26 – Updated: 2026-04-08 11:55
VLAI?
Summary
MinIO is Vulnerable to SSE Metadata Injection via Replication Headers
Details

Impact

What kind of vulnerability is it? Who is impacted?

A flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The server unconditionally maps these headers to X-Minio-Internal-* encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become permanently unreadable through the S3 API.

Any authenticated user or service with s3:PutObject permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with X-Minio-Replication-Server-Side-Encryption-* headers but without the X-Minio-Source-Replication-Request header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (X-Minio-Internal-Server-Side-Encryption-Sealed-Key, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.

This is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The ReplicateObjectAction IAM permission is never checked because the request is a normal PutObject, not a replication request.

Affected component: cmd/handler-utils.go, function extractMetadataFromMime().

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit 468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 ("Enable replication of SSE-C objects", PR #19107, 2024-03-28). The first affected release is RELEASE.2024-03-30T09-41-56Z.

Patches

Fixed in: MinIO AIStor RELEASE.2026-03-26T21-24-40Z

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Format Architecture Download
DEB amd64 minio_20260326212440.0.0_amd64.deb
DEB arm64 minio_20260326212440.0.0_arm64.deb
RPM amd64 minio-20260326212440.0.0-1.x86_64.rpm
RPM arm64 minio-20260326212440.0.0-1.aarch64.rpm

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-03-26T21-24-40Z or later.

If upgrading is not immediately possible:

  • Restrict replication headers at a reverse proxy / load balancer. Drop or reject any request containing X-Minio-Replication-Server-Side-Encryption-* headers that does not also carry X-Minio-Source-Replication-Request. This blocks the injection path without modifying the server.

  • Audit IAM policies. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.

References

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20240328174456-468a9fae83e9"
            },
            {
              "last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T22:26:05Z",
    "nvd_published_at": "2026-03-31T20:16:28Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nA flaw in `extractMetadataFromMime()` allows any authenticated user with `s3:PutObject` permission to inject internal server-side encryption metadata into objects by sending crafted `X-Minio-Replication-*` headers on a normal PutObject request. The server unconditionally maps these headers to `X-Minio-Internal-*` encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become **permanently unreadable** through the S3 API.\n\nAny authenticated user or service with `s3:PutObject` permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with `X-Minio-Replication-Server-Side-Encryption-*` headers but **without** the `X-Minio-Source-Replication-Request` header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (`X-Minio-Internal-Server-Side-Encryption-Sealed-Key`, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.\n\nThis is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The `ReplicateObjectAction` IAM permission is never checked because the request is a normal PutObject, not a replication request.\n\n**Affected component:** `cmd/handler-utils.go`, function `extractMetadataFromMime()`.\n\n## Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit `468a9fae83e965ecefa1c1fdc2fc57b84ece95b0` (\"Enable replication of SSE-C objects\", [PR #19107](https://github.com/minio/minio/pull/19107), 2024-03-28). The first affected release is `RELEASE.2024-03-30T09-41-56Z`.\n\n## Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-03-26T21-24-40Z\n\n### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | -------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | -------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | -------- |\n| DEB | amd64 | [minio_20260326212440.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260326212440.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260326212440.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260326212440.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260326212440.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260326212440.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260326212440.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260326212440.0.0-1.aarch64.rpm) |\n\n### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips\n```\n\n### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n## Workarounds\n\n[Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-26T21-24-40Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Restrict replication headers at a reverse proxy / load balancer.** Drop or reject any request containing `X-Minio-Replication-Server-Side-Encryption-*` headers that does not also carry `X-Minio-Source-Replication-Request`. This blocks the injection path without modifying the server.\n\n- **Audit IAM policies.** Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.\n\n## References\n\n- Introducing commit: [`468a9fae8`](https://github.com/minio/minio/commit/468a9fae83e965ecefa1c1fdc2fc57b84ece95b0) ([PR #19107](https://github.com/minio/minio/pull/19107))\n- [MinIO AIStor](https://min.io/aistor)",
  "id": "GHSA-3rh2-v3gr-35p9",
  "modified": "2026-04-08T11:55:44Z",
  "published": "2026-03-27T22:26:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34204"
    },
    {
      "type": "WEB",
      "url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MinIO is Vulnerable to SSE Metadata Injection via Replication Headers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.