प्लेटफ़ॉर्म
go
घटक
github.com/minio/minio
में ठीक किया गया
2026.0.1
0.0.1
CVE-2026-34204 describes a vulnerability in MinIO, a high-performance object storage server. This issue allows attackers to inject malicious metadata through replication headers, potentially impacting data integrity and security. The vulnerability affects versions of MinIO up to 0.0.0-20260212201848-7aac2a2c5b7c, and a fix has been released in RELEASE.2026-03-26T21-24-40Z.
The SSE metadata injection vulnerability in MinIO allows an attacker to craft malicious replication headers that are processed by the server. This can lead to the injection of arbitrary metadata into objects stored within MinIO. Successful exploitation could result in data corruption, unauthorized modification of object properties, or even the creation of objects with misleading metadata. The impact is particularly concerning in environments where object metadata is used for access control, data validation, or other critical functions. While the immediate impact might be limited to a single object, a compromised MinIO instance could be leveraged to impact a wide range of applications and services relying on the storage.
CVE-2026-34204 was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog. The probability of exploitation is currently assessed as low, but diligent patching is still recommended.
Organizations heavily reliant on MinIO for object storage, particularly those using it for critical data or applications, are at risk. Environments with limited network segmentation or inadequate input validation practices are also more vulnerable. Any deployment using MinIO versions prior to RELEASE.2026-03-26T21-24-40Z should be considered at risk.
• go / server:
# Check MinIO version
minio version• go / server:
# Monitor MinIO logs for unusual object creation/modification activity
journalctl -u minio -f | grep -i 'metadata injection'• generic web:
# Check for unexpected metadata in object headers (requires MinIO client or API access)
minio ls --long <bucket>/<object>disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (7% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34204 is to upgrade to the patched version, RELEASE.2026-03-26T21-24-40Z. If an immediate upgrade is not feasible, consider implementing stricter input validation on replication headers at the network level, such as using a Web Application Firewall (WAF) or proxy server to filter out suspicious headers. Monitor MinIO logs for unusual activity related to object creation or modification. Specifically, look for unexpected metadata values or patterns. After upgrading, confirm the fix by attempting to replicate an object with a crafted header containing malicious metadata; the server should reject the request.
MinIO को RELEASE.2026-03-26T21-24-40Z या बाद के संस्करण में अपडेट करें। यह अपडेट प्रतिकृति हेडर (Replication Headers) के माध्यम से SSE मेटाडेटा इंजेक्शन (SSE Metadata Injection) भेद्यता को ठीक करता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34204 is a HIGH severity vulnerability in MinIO allowing attackers to inject malicious metadata via replication headers, potentially corrupting data or gaining unauthorized access. It affects versions up to 0.0.0-20260212201848-7aac2a2c5b7c.
Yes, if you are running MinIO versions prior to RELEASE.2026-03-26T21-24-40Z, you are affected by this vulnerability and should upgrade immediately.
Upgrade to the patched version, RELEASE.2026-03-26T21-24-40Z. As a temporary workaround, implement stricter input validation on replication headers using a WAF or proxy.
There is currently no evidence of active exploitation in the wild, but diligent patching is still recommended.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/docs/security/advisories/](https://docs.min.io/docs/security/advisories/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।