The vulnerability is a flaw in MinIO’s metadata extraction routine, allowing an authenticated user with s3:PutObject rights to embed arbitrary server‑side encryption (SSE) metadata into stored objects by supplying specially crafted X‑MinIO‑Replication‑* headers on a normal PutObject request. This injection can alter how the object is encrypted or stored, potentially exposing data or degrading security guarantees. The weakness aligns with access control bypass via improper input validation (CWE‑287).

MinIO object storage systems prior to the release dated 2026‑03‑26T21‑24‑40Z are affected. The vendor is MinIO, and any deployment using older releases that have not applied the patch is at risk. Users running the patched RELEASE.2026‑03‑26T21‑24‑40Z or later are not vulnerable.

The CVSS base score of 7.1 indicates high severity, while the EPSS score is unavailable, suggesting uncertainty about current exploitation frequency. The vulnerability is not listed in CISA’s KEV catalog, implying no confirmed widespread exploitation. Attackers can exploit this flaw by authenticating to the S3 API and sending a PutObject request containing malicious replication headers; no additional attacker privileges are required beyond PutObject rights. Consequently, any user granted s3:PutObject in an environment where MinIO is exposed, even if not an administrator, can potentially perform the injection.