Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN344
_____________________________________________________________________

DATE                : 30/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running minio versions prior
                          to RELEASE.2026-03-26T21-24-40Z.

=====================================================================
https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9
_____________________________________________________________________


SSE Metadata Injection via Replication Headers
High
harshavardhana published GHSA-3rh2-v3gr-35p9 Mar 27, 2026

Package
github.com/minio/minio

Affected versions
> RELEASE.2024-03-30T09-41-56Z

Patched versions
>= RELEASE.2026-03-26T21-24-40Z


Description

Impact

What kind of vulnerability is it? Who is impacted?

A flaw in extractMetadataFromMime() allows any authenticated user with
s3:PutObject permission to inject internal server-side encryption metadata
into objects by sending crafted X-Minio-Replication-* headers on a normal
PutObject request. The server unconditionally maps these headers to
X-Minio-Internal-* encryption metadata without verifying that the request is
a legitimate replication request. Objects written this way carry bogus
encryption keys and become permanently unreadable through the S3 API.

Any authenticated user or service with s3:PutObject permission on any bucket
can make objects permanently unreadable by injecting fake SSE encryption
metadata. The attacker sends a standard PutObject request with
X-Minio-Replication-Server-Side-Encryption-* headers but without the
X-Minio-Source-Replication-Request header that marks legitimate replication
traffic. The server maps these headers to internal encryption metadata
(X-Minio-Internal-Server-Side-Encryption-Sealed-Key, etc.), causing all
subsequent GetObject and HeadObject calls to treat the object as encrypted with
keys that do not exist.

This is a targeted denial-of-service vulnerability. An attacker can
selectively corrupt individual objects or entire buckets. The
ReplicateObjectAction IAM permission is never checked because the request is
a normal PutObject, not a replication request.

Affected component: cmd/handler-utils.go, function
extractMetadataFromMime().


Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit
468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 ("Enable replication of SSE-C
objects", PR #19107, 2024-03-28).
The first affected release is RELEASE.2024-03-30T09-41-56Z.


Patches

Fixed in: MinIO AIStor RELEASE.2026-03-26T21-24-40Z


Binary Downloads

Platform 	Architecture 	Download

Linux 	amd64 	minio
Linux 	arm64 	minio
macOS 	arm64 	minio
macOS 	amd64 	minio
Windows 	amd64 	minio.exe
FIPS Binaries
Platform 	Architecture 	Download
Linux 	amd64 	minio.fips
Linux 	arm64 	minio.fips
Package Downloads
Format 	Architecture 	Download
DEB 	amd64 	minio_20260326212440.0.0_amd64.deb
DEB 	arm64 	minio_20260326212440.0.0_arm64.deb
RPM 	amd64 	minio-20260326212440.0.0-1.x86_64.rpm
RPM 	arm64 	minio-20260326212440.0.0-1.aarch64.rpm


Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips

Homebrew (macOS)

brew install minio/aistor/minio


Workarounds

    Users of the open-source minio/minio project should upgrade to
MinIO AIStor RELEASE.2026-03-26T21-24-40Z or later.

If upgrading is not immediately possible:

    Restrict replication headers at a reverse proxy / load balancer. Drop or
    reject any request containing X-Minio-Replication-Server-Side-Encryption-*
    headers that does not also carry X-Minio-Source-Replication-Request. This
    blocks the injection path without modifying the server.

    Audit IAM policies. Limit s3:PutObject grants to trusted principals.
    While this reduces the attack surface, it does not eliminate the
    vulnerability since any authorized user can exploit it.


References

    Introducing commit: 468a9fae8 (PR #19107)
    MinIO AIStor


Severity
High
7.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity Low
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

CVE ID
No known CVE

Weaknesses
No CWEs

Credits

    @harshavardhana harshavardhana Remediation developer
    @donatello donatello Remediation reviewer
    @shtripat shtripat Remediation reviewer




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================