CVE-2026-34204

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2026-03-26T21-24-40Z

Description A flaw in the extractMetadataFromMime() function allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects. This is achieved by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The server incorrectly maps these headers to internal encryption metadata without verifying the request's legitimacy. Objects written in this manner become permanently unreadable through the S3 API. The issue was introduced in commit 468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 on 2024-03-28. The affected component is cmd/handler-utils.go.

Recommendations Upgrade to MinIO AIStor version RELEASE.2026-03-26T21-24-40Z or later. If upgrading is not immediately possible, restrict replication headers at a reverse proxy or load balancer by dropping or rejecting any request containing X-Minio-Replication-Server-Side-Encryption-* headers that does not also carry X-Minio-Source-Replication-Request. Audit IAM policies and limit s3:PutObject grants to trusted principals.