Impact What kind of vulnerability is it? Who is impacted? A flaw in "extractMetadataFromMime()" allows any authenticated user with "s3:PutObject" permission to inject internal server-side encryption metadata into objects by sending crafted "X-Minio-Replication-" headers on a normal PutObject request. The server unconditionally maps these headers to "X-Minio-Internal-" encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become permanently unreadable through the S3 API. Any authenticated user or service with "s3:PutObject" permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with "X-Minio-Replication-Server-Side-Encryption-*" headers but without the "X-Minio-Source-Replication-Request" header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata ("X-Minio-Internal-Server-Side-Encryption-Sealed-Key", etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist. This is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The "ReplicateObjectAction" IAM permission is never checked because the request is a normal PutObject, not a replication request. Affected component: "cmd/handler-utils.go", function "extractMetadataFromMime()". Affected Versions All MinIO releases through the final release of the minio/minio open-source project. The vulnerability was introduced in commit "468a9fae83e965ecefa1c1fdc2fc57b84ece95b0" ("Enable replication of SSE-C objects", "PR #19107" (https://github.com/minio/minio/pull/19107), 2024-03-28). The first affected release is "RELEASE.2024-03-30T09-41-56Z". Patches Fixed in: MinIO AIStor RELEASE.2026-03-26T21-24-40Z Binary Downloads | Platform | Architecture | Download | | -------- | ------------ | -------- | | Linux | amd64 | "minio" (https://dl.min.io/aistor/minio/release/linux-amd64/minio) | | Linux | arm64 | "minio" (https://dl.min.io/aistor/minio/release/linux-arm64/minio) | | macOS | arm64 | "minio" (https://dl.min.io/aistor/minio/release/darwin-arm64/minio) | | macOS | amd64 | "minio" (https://dl.min.io/aistor/minio/release/darwin-amd64/minio) | | Windows | amd64 | "minio.exe" (https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) | FIPS Binaries | Platform | Architecture | Download | | -------- | ------------ | -------- | | Linux | amd64 | "minio.fips" (https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) | | Linux | arm64 | "minio.fips" (https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) | Package Downloads | Format | Architecture | Download | | ------ | ------------ | -------- | | DEB | amd64 | "minio_20260326212440.0.0_amd64.deb" (https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260326212440.0.0_amd64.deb) | | DEB | arm64 | "minio_20260326212440.0.0_arm64.deb" (https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260326212440.0.0_arm64.deb) | | RPM | amd64 | "minio-20260326212440.0.0-1.x86_64.rpm" (https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260326212440.0.0-1.x86_64.rpm) | | RPM | arm64 | "minio-20260326212440.0.0-1.aarch64.rpm" (https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260326212440.0.0-1.aarch64.rpm) | Container Images Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips Homebrew (macOS) brew install minio/aistor/minio Workarounds "Users of the open-source "minio/minio" project should upgrade to MinIO AIStor "RELEASE.2026-03-26T21-24-40Z" or later." (https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/) If upgrading is not immediately possible: - Restrict replication headers at a reverse proxy / load balancer. Drop or reject any request containing "X-Minio-Replication-Server-Side-Encryption-*" headers that does not also carry "X-Minio-Source-Replication-Request". This blocks the injection path without modifying the server. - Audit IAM policies. Limit "s3:PutObject" grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it. References - Introducing commit: ""468a9fae8"" (https://github.com/minio/minio/commit/468a9fae83e965ecefa1c1fdc2fc57b84ece95b0) ("PR #19107" (https://github.com/minio/minio/pull/19107)) - "MinIO AIStor" (https://min.io/aistor)