CVE-2026-34204
Published: 31 March 2026
Summary
CVE-2026-34204 is a high-severity Improper Authentication (CWE-287) vulnerability in Minio Minio. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying the vendor patch in RELEASE.2026-03-26T21-24-40Z directly remediates the flaw in extractMetadataFromMime() that allows unauthorized metadata injection.
Validating inputs at the S3 PutObject API interface prevents processing of crafted X-Minio-Replication-* headers that inject unauthorized server-side encryption metadata.
Restricting s3:PutObject permission to least privilege minimizes the number of low-privilege accounts able to exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing MinIO object storage allows authenticated users to exploit via PutObject API with crafted headers for unauthorized metadata injection, directly enabling stored data manipulation with integrity/availability impact.
NVD Description
MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request.…
more
This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.
Deeper analysisAI
CVE-2026-34204 is a vulnerability in MinIO, a high-performance object storage system, affecting versions prior to RELEASE.2026-03-26T21-24-40Z. The flaw resides in the extractMetadataFromMime() function, which permits any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects. This is achieved by sending crafted X-Minio-Replication-* headers during a standard PutObject request. The issue is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) and is associated with CWE-287 (Improper Authentication).
An attacker requires network access and low-privilege authentication with s3:PutObject permission to exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation allows the injection of unauthorized server-side encryption metadata into objects, potentially leading to limited integrity impacts and high availability disruptions, though no confidentiality loss is indicated.
The MinIO security advisory at https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9 confirms the patch in version RELEASE.2026-03-26T21-24-40Z, recommending immediate upgrades for affected deployments to mitigate the issue.
Details
- CWE(s)