{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-34204","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-26T15:57:52.323Z","datePublished":"2026-03-31T19:30:31.057Z","dateUpdated":"2026-04-01T13:42:45.444Z"},"containers":{"cna":{"title":"MinIO is Vulnerable to SSE Metadata Injection via Replication Headers","problemTypes":[{"descriptions":[{"cweId":"CWE-287","lang":"en","description":"CWE-287: Improper Authentication","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9","tags":["x_refsource_CONFIRM"],"url":"https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9"}],"affected":[{"vendor":"minio","product":"minio","versions":[{"version":"< RELEASE.2026-03-26T21-24-40Z","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-31T19:30:31.057Z"},"descriptions":[{"lang":"en","value":"MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. This issue has been patched in version RELEASE.2026-03-26T21-24-40Z."}],"source":{"advisory":"GHSA-3rh2-v3gr-35p9","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-01T13:42:38.433636Z","id":"CVE-2026-34204","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-01T13:42:45.444Z"}}]}}