Improper authorization control for web services In github.com/minio/minio
Description
MinIO is Vulnerable to SSE Metadata Injection via Replication Headers
Impact
What kind of vulnerability is it? Who is impacted?
A flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The server unconditionally maps these headers to X-Minio-Internal-* encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become permanently unreadable through the S3 API.
Any authenticated user or service with s3:PutObject permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with X-Minio-Replication-Server-Side-Encryption-* headers but without the X-Minio-Source-Replication-Request header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (X-Minio-Internal-Server-Side-Encryption-Sealed-Key, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.
This is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The ReplicateObjectAction IAM permission is never checked because the request is a normal PutObject, not a replication request.
Affected component: cmd/handler-utils.go, function extractMetadataFromMime().
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
The vulnerability was introduced in commit 468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 ("Enable replication of SSE-C objects", PR #19107, 2024-03-28). The first affected release is RELEASE.2024-03-30T09-41-56Z.
Patches
Fixed in: MinIO AIStor RELEASE.2026-03-26T21-24-40Z
Binary Downloads
FIPS Binaries
Platform | Architecture | Download |
|---|---|---|
Linux | amd64 | |
Linux | arm64 |
Package Downloads
Format | Architecture | Download |
|---|---|---|
DEB | amd64 | |
DEB | arm64 | |
RPM | amd64 | |
RPM | arm64 |
Container Images
# Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z # FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
Restrict replication headers at a reverse proxy / load balancer. Drop or reject any request containing X-Minio-Replication-Server-Side-Encryption-* headers that does not also carry X-Minio-Source-Replication-Request. This blocks the injection path without modifying the server.
Audit IAM policies. Limit s3:PutObject grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.
References
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version |
|---|---|---|
 go |
Aliases
References