Platform
go
Component
github.com/minio/minio
Fixed in
2026.0.1
0.0.1
CVE-2026-34204 describes a vulnerability in MinIO, a high-performance object storage server. This issue allows attackers to inject malicious metadata through replication headers, potentially impacting data integrity and security. The vulnerability affects versions of MinIO up to 0.0.0-20260212201848-7aac2a2c5b7c, and a fix has been released in RELEASE.2026-03-26T21-24-40Z.
The SSE metadata injection vulnerability in MinIO allows an attacker to craft malicious replication headers that are processed by the server. This can lead to the injection of arbitrary metadata into objects stored within MinIO. Successful exploitation could result in data corruption, unauthorized modification of object properties, or even the creation of objects with misleading metadata. The impact is particularly concerning in environments where object metadata is used for access control, data validation, or other critical functions. While the immediate impact might be limited to a single object, a compromised MinIO instance could be leveraged to impact a wide range of applications and services relying on the storage.
CVE-2026-34204 was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog. The probability of exploitation is currently assessed as low, but diligent patching is still recommended.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34204 is to upgrade to the patched version, RELEASE.2026-03-26T21-24-40Z. If an immediate upgrade is not feasible, consider implementing stricter input validation on replication headers at the network level, such as using a Web Application Firewall (WAF) or proxy server to filter out suspicious headers. Monitor MinIO logs for unusual activity related to object creation or modification. Specifically, look for unexpected metadata values or patterns. After upgrading, confirm the fix by attempting to replicate an object with a crafted header containing malicious metadata; the server should reject the request.
Update MinIO to version RELEASE.2026-03-26T21-24-40Z or later. This update fixes the SSE metadata injection vulnerability via replication headers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34204 is a HIGH severity vulnerability in MinIO allowing attackers to inject malicious metadata via replication headers, potentially corrupting data or gaining unauthorized access. It affects versions up to 0.0.0-20260212201848-7aac2a2c5b7c.
Yes, if you are running MinIO versions prior to RELEASE.2026-03-26T21-24-40Z, you are affected by this vulnerability and should upgrade immediately.
Upgrade to the patched version, RELEASE.2026-03-26T21-24-40Z. As a temporary workaround, implement stricter input validation on replication headers using a WAF or proxy.
There is currently no evidence of active exploitation in the wild, but diligent patching is still recommended.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/docs/security/advisories/](https://docs.min.io/docs/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.