CVE-2023-28434

Name: CVE-2023-28434
Creator: NVD / NIST
Published: 2023-03-22T21:15:18.427+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10Actively ExploitedEPSS 6.74%

Last modified Jun 17, 2026

CVE-2023-28434 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. CISA has confirmed active exploitation in the wild. EPSS estimates a 6.74% chance of exploitation in the next 30 days.

Description

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

6.74%

93.1th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Oct 10, 2023.

Weakness Enumeration

CWE-269

Affected Software

Vendor	Product	Versions
Minio	Minio	< 2023-03-20t20-16-18z

References

https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5Patch
https://github.com/minio/minio/pull/16849Exploit, Issue Tracking
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8cVendor Advisory
https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5Patch
https://github.com/minio/minio/pull/16849Exploit, Issue Tracking
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8cVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434US Government Resource

Timeline

Published: Mar 22, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-28434?

How severe is CVE-2023-28434?

CVE-2023-28434 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 6.74% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2023-28434?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-28434?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST