Cyber Resilience

CVE-2026-34204

High

Published: 31 March 2026

Published
31 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34204 is a high-severity Improper Authentication (CWE-287) vulnerability in Minio Minio. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34204 is a vulnerability in MinIO, a high-performance object storage system, affecting versions prior to RELEASE.2026-03-26T21-24-40Z. The flaw resides in the extractMetadataFromMime() function, which permits any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects. This is achieved by sending crafted X-Minio-Replication-* headers during a standard PutObject request. The issue is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) and is associated with CWE-287 (Improper Authentication).

An attacker requires network access and low-privilege authentication with s3:PutObject permission to exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation allows the injection of unauthorized server-side encryption metadata into objects, potentially leading to limited integrity impacts and high availability disruptions, though no confidentiality loss is indicated.

The MinIO security advisory at https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9 confirms the patch in version RELEASE.2026-03-26T21-24-40Z, recommending immediate upgrades for affected deployments to mitigate the issue.

EU & UK References

Vulnerability details

MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request.…

more

This issue has been patched in version RELEASE.2026-03-26T21-24-40Z.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability in public-facing MinIO object storage allows authenticated users to exploit via PutObject API with crafted headers for unauthorized metadata injection, directly enabling stored data manipulation with integrity/availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41145Same product: Minio Minio
CVE-2026-33322Same product: Minio Minio
CVE-2026-40344Same product: Minio Minio
CVE-2026-33419Same product: Minio Minio
CVE-2026-42600Same product: Minio Minio
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287

Affected Assets

minio
minio
≤ 2026-03-26t21-24-40z

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the vendor patch in RELEASE.2026-03-26T21-24-40Z directly remediates the flaw in extractMetadataFromMime() that allows unauthorized metadata injection.

prevent

Validating inputs at the S3 PutObject API interface prevents processing of crafted X-Minio-Replication-* headers that inject unauthorized server-side encryption metadata.

prevent

Restricting s3:PutObject permission to least privilege minimizes the number of low-privilege accounts able to exploit the vulnerability.

References