CVE-2025-62506Incorrect Authorization in Minio

CWE-863Incorrect AuthorizationCWE-269Improper Privilege Management6 documents3 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 94.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MinioGithub.com Minio MinioRustfs
Timeline
PublishedOct 16
Latest updateJan 8

Description

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5minio/minio< RELEASE.2025-10-15T17-29-55Z
Gogithub.com/minio_minio< 0.0.0-20251015170045-c1a49490c78e
crates.iorustfs/rustfs1.0.0-alpha.131.0.0-alpha.79

🔴Vulnerability Details

5
GHSA
RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting2026-01-08
OSV
RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting2026-01-08
OSV
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS in github.com/minio/minio2025-10-30
GHSA
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS2025-10-16
OSV
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS2025-10-16