CVE-2026-33419

MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

History

08 Apr 2026, 19:00

Type	Values Removed	Values Added
First Time		Minio Minio minio
CPE		cpe:2.3:a:minio:minio::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99 -~~	() https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99 - Patch, Vendor Advisory
Summary		(es) MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Antes de RELEASE.2026-03-17T21-25-16Z, el endpoint AssumeRoleWithLDAPIdentity del STS (Security Token Service) de MinIO AIStor es vulnerable a la fuerza bruta de credenciales LDAP debido a dos debilidades combinadas: (1) respuestas de error distinguibles que permiten la enumeración de nombres de usuario, y (2) la ausencia de limitación de velocidad en los intentos de autenticación. Un atacante de red no autenticado puede enumerar nombres de usuario LDAP válidos y luego realizar adivinanzas de contraseñas ilimitadas para obtener credenciales STS temporales de estilo AWS, obteniendo acceso a los buckets y objetos S3 de la víctima. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z.

24 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 20:16

Updated : 2026-04-08 19:00

NVD link : CVE-2026-33419

Mitre link : CVE-2026-33419

CVE.ORG link : CVE-2026-33419

JSON object : View

Products Affected

minio

minio

CWE

CWE-204

Observable Response Discrepancy

CWE-307

Improper Restriction of Excessive Authentication Attempts

7.5 /10