CVE-2026-33419

MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CVSS

No CVSS.

References

Link	Resource
https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-24 20:16

Updated : 2026-03-25 15:41

NVD link : CVE-2026-33419

Mitre link : CVE-2026-33419

CVE.ORG link : CVE-2026-33419

JSON object : View

Products Affected

No product.

CWE

CWE-204

Observable Response Discrepancy

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2026-33419", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T20:16:29.900", "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-204"}, {"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}, {"lang": "es", "value": "MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Antes de RELEASE.2026-03-17T21-25-16Z, el endpoint AssumeRoleWithLDAPIdentity del STS (Security Token Service) de MinIO AIStor es vulnerable a la fuerza bruta de credenciales LDAP debido a dos debilidades combinadas: (1) respuestas de error distinguibles que permiten la enumeraci\u00f3n de nombres de usuario, y (2) la ausencia de limitaci\u00f3n de velocidad en los intentos de autenticaci\u00f3n. Un atacante de red no autenticado puede enumerar nombres de usuario LDAP v\u00e1lidos y luego realizar adivinanzas de contrase\u00f1as ilimitadas para obtener credenciales STS temporales de estilo AWS, obteniendo acceso a los buckets y objetos S3 de la v\u00edctima. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z."}], "lastModified": "2026-03-25T15:41:58.280", "sourceIdentifier": "security-advisories@github.com"}