{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34204", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.323Z", "datePublished": "2026-03-31T19:30:31.057Z", "dateUpdated": "2026-04-01T13:42:45.444Z"}, "containers": {"cna": {"title": "MinIO is Vulnerable to SSE Metadata Injection via Replication Headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": "< RELEASE.2026-03-26T21-24-40Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:30:31.057Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z."}], "source": {"advisory": "GHSA-3rh2-v3gr-35p9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:42:38.433636Z", "id": "CVE-2026-34204", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:42:45.444Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34204", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:42:38.433636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:42:41.213Z"}}], "cna": {"title": "MinIO is Vulnerable to SSE Metadata Injection via Replication Headers", "source": {"advisory": "GHSA-3rh2-v3gr-35p9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": "< RELEASE.2026-03-26T21-24-40Z"}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9", "name": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:30:31.057Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34204", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:42:45.444Z", "dateReserved": "2026-03-26T15:57:52.323Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T19:30:31.057Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "47E11179-FE31-42F4-AA7A-E8E78BA4BB3E", "versionEndExcluding": "2026-03-26t21-24-40z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z."}], "id": "CVE-2026-34204", "lastModified": "2026-04-07T16:06:00.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T20:16:28.583", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,RELEASE.2026-03-26T21-24-40Z)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "minio", "source": "cna", "vendor": "minio"}, "product": "minio", "vendor": "minio"}], "analysis": {"en": {"generated_at": "2026-04-07T23:09:25.603204+00:00", "value": {"mitigation_remediation": ["Update MinIO to RELEASE.2026-03-26T21-24-40Z or a later patch that fixes the metadata injection issue.", "If an immediate update is not possible, restrict or revoke s3:PutObject permissions for users who are not required to perform object replication.", "Verify that any application logic accepting replication headers does not expose internal metadata to untrusted sources."], "summary": {"action": "Patch immediately", "impact": "Server-side encryption metadata injection via replication headers"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MinIO product. All installations running a version older than RELEASE.2026-03-26T21-24-40Z are vulnerable. The issue applies to any deployments that grant s3:PutObject permissions to authenticated users.", "description_and_impact": "MinIO, an object storage system, had a flaw in extractMetadataFromMime() that allowed any authenticated user with s3:PutObject permission to inject server-side encryption (SSE) metadata into objects by sending specially crafted X-Minio-Replication-* headers on a normal PutObject request. The injection could cause objects to be inadvertently encrypted or stored with incorrect metadata, potentially leading to data integrity or confidentiality issues.", "risk_and_exploitability": "The CVSS base score is 7.1 and the EPSS score is below 1\u202fpercent, indicating a moderate to high severity but a low likelihood of widespread exploitation. It is not listed in CISA\u2019s KEV catalog. The attack requires legitimate S3 authentication and the ability to send custom headers with a PutObject request, so it is limited to users who already have upload permissions. The flaw permits the injection of internal server\u2011side encryption metadata, which could alter data handling and violate integrity or confidentiality."}}}}, "created": "2026-04-02T07:53:08.322316+00:00", "updated": "2026-04-08T20:00:10.527214+00:00", "vendors": ["minio", "minio$PRODUCT$minio"]}