Description
MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.
Published: 2026-03-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-side encryption metadata injection via replication headers
Action: Patch immediately
AI Analysis

Impact

MinIO, an object storage system, had a flaw in extractMetadataFromMime() that allowed any authenticated user with s3:PutObject permission to inject server-side encryption (SSE) metadata into objects by sending specially crafted X-Minio-Replication-* headers on a normal PutObject request. The injection could cause objects to be inadvertently encrypted or stored with incorrect metadata, potentially leading to data integrity or confidentiality issues.

Affected Systems

The vulnerability affects the MinIO product. All installations running a version older than RELEASE.2026-03-26T21-24-40Z are vulnerable. The issue applies to any deployments that grant s3:PutObject permissions to authenticated users.

Risk and Exploitability

The CVSS base score is 7.1 and the EPSS score is below 1 percent, indicating a moderate to high severity but a low likelihood of widespread exploitation. It is not listed in CISA’s KEV catalog. The attack requires legitimate S3 authentication and the ability to send custom headers with a PutObject request, so it is limited to users who already have upload permissions. The flaw permits the injection of internal server‑side encryption metadata, which could alter data handling and violate integrity or confidentiality.

Generated by OpenCVE AI on April 7, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MinIO to RELEASE.2026-03-26T21-24-40Z or a later patch that fixes the metadata injection issue.
  • If an immediate update is not possible, restrict or revoke s3:PutObject permissions for users who are not required to perform object replication.
  • Verify that any application logic accepting replication headers does not expose internal metadata to untrusted sources.

Generated by OpenCVE AI on April 7, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3rh2-v3gr-35p9 MinIO is Vulnerable to SSE Metadata Injection via Replication Headers
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Minio
Minio minio
Vendors & Products Minio
Minio minio

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.
Title MinIO is Vulnerable to SSE Metadata Injection via Replication Headers
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Minio Minio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:42:45.444Z

Reserved: 2026-03-26T15:57:52.323Z

Link: CVE-2026-34204

cve-icon Vulnrichment

Updated: 2026-04-01T13:42:41.213Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:28.583

Modified: 2026-04-07T16:06:00.360

Link: CVE-2026-34204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:10Z

Weaknesses