CVE-2026-34204— MinIO is Vulnerable to SSE Metadata Injection via Replication Headers

MinIO is Vulnerable to SSE Metadata Injection via Replication Headers

MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.

N/A

认证机制不恰当

MinIO 授权问题漏洞

MinIO是美国MinIO公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。 MinIO RELEASE.2026-03-26T21-24-40Z之前版本存在授权问题漏洞，该漏洞源于extractMetadataFromMime()存在缺陷，可能导致任何具有s3:PutObject权限的经过身份验证的用户通过发送特制的X-Minio-Replication-*标头将内部服务器端加密元数据注入对象。

N/A

N/A