CVE-2023-28434: Minio Auth Bypass Vulnerability

CVE-2023-28434 Overview

CVE-2023-28434 is a critical security bypass vulnerability in MinIO, a Multi-Cloud Object Storage framework. Prior to version RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. This authorization bypass vulnerability allows authenticated users with wildcard S3 permissions to write objects to arbitrary buckets, potentially compromising data integrity across the entire MinIO deployment.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers with valid credentials can bypass bucket access controls to write malicious objects to any bucket in the MinIO instance.

Affected Products

• MinIO versions prior to RELEASE.2023-03-20T20-16-18Z
• MinIO deployments with Console API access enabled
• MinIO instances where users have arn:aws:s3:::* permission

Discovery Timeline

• 2023-03-22 - CVE-2023-28434 published to NVD
• 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2023-28434

Vulnerability Analysis

This vulnerability represents an authorization bypass in MinIO's PostPolicyBucket handler that allows authenticated users to circumvent bucket name validation. The flaw exists in how MinIO routes and validates POST policy requests, enabling attackers to manipulate request parameters to target buckets they should not have access to. The attack requires valid credentials with wildcard S3 permissions (arn:aws:s3:::*) and Console API access, making it a post-authentication privilege escalation issue that can lead to unauthorized data modification across the storage infrastructure.

Root Cause

The root cause lies in the improper validation of bucket names during PostPolicyBucket request processing. The original implementation used a simple content-type header regex match (multipart/form-data*) to route POST policy requests, which allowed attackers to craft requests that bypassed the intended bucket name checking logic. The vulnerable routing mechanism failed to properly verify that the request signature matched the expected PostPolicy signature format before processing.

Attack Vector

The attack is conducted over the network by authenticated users who possess credentials with wildcard S3 permissions. An attacker crafts a malicious POST request to the PostPolicyBucket endpoint, manipulating the metadata to specify an arbitrary target bucket. Because the vulnerable code path relied solely on content-type header matching rather than proper signature verification, the attacker can bypass bucket-level access controls and write objects to any bucket in the MinIO deployment.

// Vulnerable routing logic (before patch)
router.Methods(http.MethodPost).HeadersRegexp(xhttp.ContentType, "multipart/form-data*").HandlerFunc(
    collectAPIStats("postpolicybucket", maxClients(gz(httpTraceHdrs(api.PostPolicyBucketHandler)))))

// Fixed routing logic (after patch) - adds proper signature verification
router.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, _ *mux.RouteMatch) bool {
    return isRequestPostPolicySignatureV4(r)
}).HandlerFunc(collectAPIStats("postpolicybucket", maxClients(gz(httpTraceHdrs(api.PostPolicyBucketHandler)))))

Source: GitHub Commit

Detection Methods for CVE-2023-28434

Indicators of Compromise

• Unexpected objects appearing in protected or sensitive buckets
• POST requests to /bucket-name endpoints with multipart/form-data content-type from unusual sources
• Audit logs showing bucket write operations from users who should only have read access
• Anomalous PostPolicyBucket API calls targeting multiple different buckets from a single credential

Detection Strategies

• Monitor MinIO audit logs for PostPolicyBucket operations targeting buckets outside the user's expected scope
• Implement alerting on wildcard permission usage (arn:aws:s3:::*) combined with Console API activity
• Review access patterns for users with broad S3 permissions accessing buckets they don't typically interact with
• Deploy network-level monitoring to detect crafted multipart POST requests to unexpected bucket endpoints

Monitoring Recommendations

• Enable comprehensive MinIO audit logging and forward logs to a SIEM platform for analysis
• Create baseline profiles for normal bucket access patterns per user/credential
• Set up alerts for any writes to critical infrastructure or configuration buckets
• Regularly audit IAM policies to identify overly permissive wildcard permissions

How to Mitigate CVE-2023-28434

Immediate Actions Required

• Upgrade MinIO to version RELEASE.2023-03-20T20-16-18Z or later immediately
• Review all IAM policies and remove unnecessary wildcard S3 permissions (arn:aws:s3:::*)
• Audit bucket contents for unauthorized objects that may have been placed via this vulnerability
• Disable Console API access if not required for operations

Patch Information

MinIO has released a security patch in version RELEASE.2023-03-20T20-16-18Z that addresses this vulnerability. The fix introduces proper request signature verification using the isRequestPostPolicySignatureV4() function to validate that incoming POST requests are legitimate PostPolicy requests before routing them to the handler. Organizations should upgrade immediately as this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog.

For additional details, refer to the GitHub Security Advisory and the related pull request.

Workarounds

• Disable browser/Console API access by setting the environment variable MINIO_BROWSER=off
• Implement strict IAM policies that avoid wildcard bucket permissions
• Use network segmentation to limit which systems can reach the MinIO Console API
• Deploy a web application firewall (WAF) to inspect and filter malicious POST requests

# Disable MinIO Browser/Console API as a temporary workaround
export MINIO_BROWSER=off

# Restart MinIO service to apply the change
systemctl restart minio