What is MinIO?
MinIO is a high-performance, open-source S3-compatible object storage server used in cloud-native environments, Kubernetes clusters, and data lake architectures. MinIO supports S3-compatible multipart upload policies (HTTP POST object upload), which allow clients to upload objects directly to MinIO using pre-signed policy documents signed by a MinIO access key. The PostPolicyBucket endpoint handles this policy-based upload mechanism, and a flaw in its bucket name validation was the root cause of CVE-2023-28434.
Overview
CVE-2023-28434 is a privilege escalation vulnerability (CWE-269) in MinIO that allows an authenticated attacker with any valid MinIO credentials to write objects to buckets they should not have access to by crafting requests that bypass bucket name metadata validation in the PostPolicyBucket handler. While the attack requires some form of credentials (PR:L), the companion CVE-2023-28432 (information disclosure) allows unauthenticated retrieval of MinIO's root credentials — making the combination a pre-authentication admin takeover chain. MinIO patched both in RELEASE.2023-03-13T19-46-17Z.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| MinIO | Versions before RELEASE.2023-03-13T19-46-17Z | RELEASE.2023-03-13T19-46-17Z |
The attack requires arn:aws:s3:::* permission and enabled Console API access. MinIO root credentials (leaked via CVE-2023-28432) satisfy this requirement by definition.
Technical Details
The S3 multipart upload policy mechanism allows clients to upload objects directly to an S3-compatible service without streaming the object through the server — the client presents a signed policy document that specifies allowed upload parameters (bucket, key prefix, content type, expiry). The PostPolicyBucket handler validates the policy and, on success, accepts the object.
CVE-2023-28434 exists because the PostPolicyBucket handler improperly validates the bucket name specified in the upload policy. A crafted policy with a manipulated bucket name bypasses the metadata validation that would normally enforce bucket access restrictions. The attacker can specify an arbitrary bucket in the policy — including admin buckets or buckets owned by other users — and MinIO processes the upload, placing the object in the specified bucket without enforcing the expected access controls.
When chained with CVE-2023-28432:
- CVE-2023-28432: Unauthenticated POST to
/minio/health/clusterretrievesMINIO_ROOT_USERandMINIO_ROOT_PASSWORD. - CVE-2023-28434: Use the root credentials with a crafted PostPolicyBucket request to write objects to any bucket, enabling data exfiltration (read arbitrary objects) and data corruption (write malicious content to any bucket in the system).
Discovery
The vulnerability was reported alongside CVE-2023-28432 by security researchers who identified the credential leak and privilege escalation as a linked attack chain. The six-month gap between CVE-2023-28432's KEV addition (April 2023) and CVE-2023-28434's KEV addition (September 2023) may reflect that CVE-2023-28434's exploitation was observed later in incident investigations as part of more complex attack chains.
Exploitation Context
MinIO deployments store high-value data: database backups, ML model artifacts, application assets, log archives, and in some cases, sensitive documents. An attacker with admin object-write capability can:
- Exfiltrate all stored data across all buckets
- Overwrite backup objects with modified or malicious content, compromising backup integrity
- Write malicious artifacts to buckets used by CI/CD pipelines or application deployments
- Enumerate storage contents to identify further attack targets
The standalone severity (PR:L) is moderated by the credential requirement, but when paired with CVE-2023-28432, the effective exploit requires no credentials at all.
Remediation
- Update MinIO to RELEASE.2023-03-13T19-46-17Z or later — fixes both CVE-2023-28434 and CVE-2023-28432.
- Also rotate credentials — if your MinIO instance ran a vulnerable version while internet-accessible, treat all credentials as compromised (see CVE-2023-28432 remediation).
- Restrict Console API access — the attack requires Console API to be enabled; if not needed, disable it.
- Audit bucket access logs for unexpected cross-bucket writes or access patterns indicative of exploitation.
- Verify backup integrity — if your MinIO instance was exposed while vulnerable, audit backup objects for unexpected modifications.
- Restrict MinIO to internal networks — MinIO should not be directly accessible from the internet; place it behind a private network boundary.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-28434 |
| Vendor / Product | MinIO — MinIO |
| NVD Published | 2023-03-22 |
| NVD Last Modified | 2026-02-26 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-269 find similar ↗ |
| CISA KEV Added | 2023-09-19 |
| CISA KEV Deadline | 2023-10-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-03-13 | MinIO releases RELEASE.2023-03-13T19-46-17Z fixing CVE-2023-28434 and CVE-2023-28432 |
| 2023-03-22 | CVE-2023-28434 formally published |
| 2023-09-19 | Added to CISA Known Exploited Vulnerabilities catalog — nearly six months after CVE-2023-28432 KEV addition, suggesting continued exploitation |
| 2023-10-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| MinIO Security Advisory GHSA-2pxw-r47w-4p8c | Vendor Advisory |
| NVD — CVE-2023-28434 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |