+ "details": "## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nA flaw in `extractMetadataFromMime()` allows any authenticated user with `s3:PutObject` permission to inject internal server-side encryption metadata into objects by sending crafted `X-Minio-Replication-*` headers on a normal PutObject request. The server unconditionally maps these headers to `X-Minio-Internal-*` encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become **permanently unreadable** through the S3 API.\n\nAny authenticated user or service with `s3:PutObject` permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with `X-Minio-Replication-Server-Side-Encryption-*` headers but **without** the `X-Minio-Source-Replication-Request` header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (`X-Minio-Internal-Server-Side-Encryption-Sealed-Key`, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.\n\nThis is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The `ReplicateObjectAction` IAM permission is never checked because the request is a normal PutObject, not a replication request.\n\n**Affected component:** `cmd/handler-utils.go`, function `extractMetadataFromMime()`.\n\n## Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit `468a9fae83e965ecefa1c1fdc2fc57b84ece95b0` (\"Enable replication of SSE-C objects\", [PR #19107](https://github.com/minio/minio/pull/19107), 2024-03-28). The first affected release is `RELEASE.2024-03-30T09-41-56Z`.\n\n## Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-03-26T21-24-40Z\n\n### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | -------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | -------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | -------- |\n| DEB | amd64 | [minio_20260326212440.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260326212440.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260326212440.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260326212440.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260326212440.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260326212440.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260326212440.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260326212440.0.0-1.aarch64.rpm) |\n\n### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips\n```\n\n### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n## Workarounds\n\n[Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-26T21-24-40Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Restrict replication headers at a reverse proxy / load balancer.** Drop or reject any request containing `X-Minio-Replication-Server-Side-Encryption-*` headers that does not also carry `X-Minio-Source-Replication-Request`. This blocks the injection path without modifying the server.\n\n- **Audit IAM policies.** Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.\n\n## References\n\n- Introducing commit: [`468a9fae8`](https://github.com/minio/minio/commit/468a9fae83e965ecefa1c1fdc2fc57b84ece95b0) ([PR #19107](https://github.com/minio/minio/pull/19107))\n- [MinIO AIStor](https://min.io/aistor)",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments