MinIO is vulnerable to privilege escalation on Linux/MacOS
Description
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/minio/minioGo | < 0.0.0-202303200415 | 0.0.0-202303200415 |
Affected products
1Patches
167f4ba154a27fix: post policy request security bypass (#16849)
2 files changed · +9 −4
cmd/api-router.go+3 −2 modified@@ -434,8 +434,9 @@ func registerAPIRouter(router *mux.Router) { router.Methods(http.MethodHead).HandlerFunc( collectAPIStats("headbucket", maxClients(gz(httpTraceAll(api.HeadBucketHandler))))) // PostPolicy - router.Methods(http.MethodPost).HeadersRegexp(xhttp.ContentType, "multipart/form-data*").HandlerFunc( - collectAPIStats("postpolicybucket", maxClients(gz(httpTraceHdrs(api.PostPolicyBucketHandler))))) + router.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, _ *mux.RouteMatch) bool { + return isRequestPostPolicySignatureV4(r) + }).HandlerFunc(collectAPIStats("postpolicybucket", maxClients(gz(httpTraceHdrs(api.PostPolicyBucketHandler))))) // DeleteMultipleObjects router.Methods(http.MethodPost).HandlerFunc( collectAPIStats("deletemultipleobjects", maxClients(gz(httpTraceAll(api.DeleteMultipleObjectsHandler))))).Queries("delete", "")
cmd/auth-handler.go+6 −2 modified@@ -25,6 +25,7 @@ import ( "encoding/hex" "errors" "io" + "mime" "net/http" "net/url" "strconv" @@ -74,8 +75,11 @@ func isRequestPresignedSignatureV2(r *http.Request) bool { // Verify if request has AWS Post policy Signature Version '4'. func isRequestPostPolicySignatureV4(r *http.Request) bool { - return strings.Contains(r.Header.Get(xhttp.ContentType), "multipart/form-data") && - r.Method == http.MethodPost + mediaType, _, err := mime.ParseMediaType(r.Header.Get(xhttp.ContentType)) + if err != nil { + return false + } + return mediaType == "multipart/form-data" && r.Method == http.MethodPost } // Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2pxw-r47w-4p8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28434ghsaADVISORY
- github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5ghsax_refsource_MISCWEB
- github.com/minio/minio/pull/16849ghsax_refsource_MISCWEB
- github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8cghsax_refsource_CONFIRMWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.