CVE-2026-34204

CVE-2026-34204 is a high-severity improper authentication vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20240328174456-468a9fae83e9, <= 0.0.0-20260212201848-7aac2a2c5b7c. No fixed version is listed yet.

Summary

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit 468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 ("Enable replication of SSE-C objects", PR #19107, 2024-03-28). The first affected release is RELEASE.2024-03-30T09-41-56Z.

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-03-26T21-24-40Z or later.

If upgrading is not immediately possible:

  • Restrict replication headers at a reverse proxy / load balancer. Drop or reject any request containing X-Minio-Replication-Server-Side-Encryption-* headers that does not also carry X-Minio-Source-Replication-Request. This blocks the injection path without modifying the server.

  • Audit IAM policies. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.

References

Impact

What kind of vulnerability is it? Who is impacted?

A flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The server unconditionally maps these headers to X-Minio-Internal-* encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become permanently unreadable through the S3 API.

Any authenticated user or service with s3:PutObject permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with X-Minio-Replication-Server-Side-Encryption-* headers but without the X-Minio-Source-Replication-Request header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (X-Minio-Internal-Server-Side-Encryption-Sealed-Key, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.

This is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The ReplicateObjectAction IAM permission is never checked because the request is a normal PutObject, not a replication request.

Affected component: cmd/handler-utils.go, function extractMetadataFromMime().

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2026-34204 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

github.com/minio/minio (>= 0.0.0-20240328174456-468a9fae83e9, <= 0.0.0-20260212201848-7aac2a2c5b7c)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in: MinIO AIStor RELEASE.2026-03-26T21-24-40Z

Frequently Asked Questions

  1. What is CVE-2026-34204? CVE-2026-34204 is a high-severity improper authentication vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20240328174456-468a9fae83e9, <= 0.0.0-20260212201848-7aac2a2c5b7c. No fixed version is listed yet. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2026-34204? CVE-2026-34204 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/minio/minio are affected by CVE-2026-34204? github.com/minio/minio (go) versions >= 0.0.0-20240328174456-468a9fae83e9, <= 0.0.0-20260212201848-7aac2a2c5b7c is affected.
  4. Is there a fix for CVE-2026-34204? No fixed version is listed for CVE-2026-34204 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-34204 exploitable, and should I be worried? Whether CVE-2026-34204 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-34204 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-34204? No fixed version is listed yet. In the interim: Keep the dependency up to date. Ensure authentication checks are present and cannot be bypassed by manipulating request parameters.

Other vulnerabilities in github.com/minio/minio

CVE-2026-42600CVE-2026-41145CVE-2026-39414CVE-2026-34204CVE-2026-33419

Stop the waste.
Protect your environment with Kodem.