Server-Side Encryption Vulnerability in MinIO Object Storage
CVE-2026-34204

7.1HIGH

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-34204?

A vulnerability in MinIO, a high-performance object storage system, allows authenticated users with s3:PutObject permission to exploit a flaw in the extractMetadataFromMime() function. This flaw enables the injection of internal server-side encryption metadata by sending specially crafted X-Minio-Replication-* headers during a standard PutObject request. The issue has been addressed and patched in the subsequent release (RELEASE.2026-03-26T21-24-40Z). For further information, please refer to the security advisory provided.

Affected Version(s)

minio < RELEASE.2026-03-26T21-24-40Z

References

https://github.com/minio/minio/security/advisories/GHSA-3...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34204 Data

JSON