Login Sign Up

CVE-2023-28434

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated attackers with S3 permissions to bypass bucket name validation and write objects to any bucket in Minio object storage systems. It affects Minio deployments with Console API access enabled prior to March 2023. Attackers need valid credentials with arn:aws:s3:::* permissions to exploit this flaw.

💻 Affected Systems

Products:
  • Minio
Versions: All versions prior to RELEASE.2023-03-20T20-16-18Z
Operating Systems: All platforms running Minio
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Console API access to be enabled (MINIO_BROWSER=on by default) and attacker needs credentials with arn:aws:s3:::* permission

📦 What is this software?

Minio by Minio

View all CVEs affecting Minio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could overwrite critical data, inject malicious objects, or disrupt storage operations across all buckets in the Minio deployment, potentially leading to data corruption, service disruption, or lateral movement.

🟠

Likely Case

Privileged users or compromised accounts could write unauthorized objects to buckets they shouldn't have access to, violating data segregation and potentially exfiltrating or tampering with sensitive data.

🟢

If Mitigated

With proper credential management and access controls, impact is limited to authorized users misusing their legitimate permissions rather than complete system compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid credentials with specific permissions and enabled Console API access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RELEASE.2023-03-20T20-16-18Z and later

Vendor Advisory: https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c

Restart Required: Yes

Instructions:

1. Backup Minio configuration and data. 2. Stop Minio service. 3. Update Minio to version RELEASE.2023-03-20T20-16-18Z or later. 4. Restart Minio service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Console API Access

all

Turn off the Minio browser/console API to prevent exploitation

export MINIO_BROWSER=off
Or set MINIO_BROWSER=off in environment/systemd configuration

🧯 If You Can't Patch

  • Disable Console API access by setting MINIO_BROWSER=off
  • Implement strict IAM policies to limit arn:aws:s3:::* permissions and use least privilege principles

🔍 How to Verify

Check if Vulnerable:

Check Minio version: if earlier than RELEASE.2023-03-20T20-16-18Z and MINIO_BROWSER is enabled, system is vulnerable

Check Version:

minio version

Verify Fix Applied:

Verify Minio version is RELEASE.2023-03-20T20-16-18Z or later using 'minio version' command

📡 Detection & Monitoring

Log Indicators:

  • Unusual PostPolicyBucket requests
  • Object writes to unexpected buckets
  • Failed bucket validation attempts

Network Indicators:

  • POST requests to /minio/upload API with manipulated bucket parameters

SIEM Query:

source="minio" AND (http_method="POST" AND uri_path="/minio/upload" AND (bucket_name NOT IN expected_buckets OR contains(bucket_name, "..")))

📊 Metadata

CVE ID: CVE-2023-28434
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: March 22, 2023
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28434, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)