CVE-2026-33419Observable Response Discrepancy in Minio

CWE-204Observable Response DiscrepancyCWE-307Improper Restriction of Excessive Authentication Attempts5 documents4 sources
Severity
9.1CRITICALNVD
EPSS
0.1%
top 84.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MinioGithub.com Minio Minio
Timeline
Latest updateMar 23
PublishedMar 24

Description

MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to o

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5minio/minio< RELEASE.2026-03-17T21-25-16Z
NVDminio/minio< 2026-03-17t21-25-16z
Gogithub.com/minio_minio0.0.0-20260212201848-7aac2a2c5b7c

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
MinIO LDAP login brute-force via user enumeration and missing rate limit in github.com/minio/minio2026-03-23
GHSA
MinIO LDAP login brute-force via user enumeration and missing rate limit2026-03-20
OSV
MinIO LDAP login brute-force via user enumeration and missing rate limit2026-03-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-33419 Impact, Exploitability, and Mitigation Steps | Wiz