Executive Summary

CVE-2026-34204 is a high-severity vulnerability in the MinIO object storage server affecting versions prior to RELEASE.2026-03-26T21-24-40Z. The flaw exists in the extractMetadataFromMime() function, where any authenticated user with s3:PutObject permission can inject internal server-side encryption metadata into objects by sending specially crafted X-Minio-Replication-* headers in a normal PutObject request.

This happens because the server incorrectly treats these replication headers as legitimate without verifying the presence of the required X-Minio-Source-Replication-Request header, allowing unauthorized injection of encryption metadata.

As a result, objects can be written with bogus encryption keys, making them permanently unreadable via the S3 API and effectively causing a targeted denial-of-service by corrupting individual objects or entire buckets.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause permanent loss of availability of affected objects by corrupting their server-side encryption metadata, rendering them unreadable through the S3 API.

An attacker with s3:PutObject permission can exploit this flaw to perform a targeted denial-of-service (DoS) attack on specific objects or entire buckets, disrupting access to stored data.

Although the vulnerability does not expose confidential data, it impacts data integrity and availability, which can severely affect applications relying on MinIO for object storage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for PutObject requests that include crafted X-Minio-Replication-* headers without the required X-Minio-Source-Replication-Request header.

One approach is to inspect network traffic or server logs for suspicious PutObject requests containing these headers.

Commands to detect such requests might include using tools like tcpdump or tshark to filter HTTP headers, for example:

• tcpdump -A -s 0 'tcp port 9000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Minio-Replication-'
• tshark -Y 'http.header contains "X-Minio-Replication-" and not http.header contains "X-Minio-Source-Replication-Request"' -T fields -e http.host -e http.request.uri

Additionally, auditing IAM policies to identify users with s3:PutObject permissions and reviewing logs for unusual object writes can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade MinIO to version RELEASE.2026-03-26T21-24-40Z or later, where the vulnerability is patched.

If immediate upgrade is not possible, workarounds include:

• Restricting or dropping requests containing X-Minio-Replication-Server-Side-Encryption-* headers at reverse proxies or load balancers unless accompanied by the X-Minio-Source-Replication-Request header.
• Auditing and tightening IAM policies to limit s3:PutObject permissions only to trusted principals, although this does not fully eliminate the risk.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user with s3:PutObject permission to corrupt objects by injecting bogus server-side encryption metadata, causing permanent loss of availability of affected objects.

While the vulnerability does not expose confidential data, the resulting denial-of-service and data corruption could impact compliance with standards and regulations that require data availability and integrity, such as GDPR and HIPAA.

Specifically, loss of availability and integrity of stored data may violate requirements for data protection and availability under these regulations, potentially leading to compliance issues.

Useful 0 Not Useful 0