CVE-2026-33419
published 2026-03-24CVE-2026-33419: MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service)…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.39%
31.2th percentile
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | 0 – 0.0.0-20260212201848-7aac2a2c5b7c | — |
| minio | minio | < RELEASE.2026-03-17T21-25-16Z | RELEASE.2026-03-17T21-25-16Z |
| minio | minio | < 2026-03-17t21-25-16z | 2026-03-17t21-25-16z |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.1CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MinIO LDAP login brute-force via user enumeration and missing rate limit in github.com/minio/minio
osv·2026-03-23
CVE-2026-33419 MinIO LDAP login brute-force via user enumeration and missing rate limit in github.com/minio/minio
MinIO LDAP login brute-force via user enumeration and missing rate limit in github.com/minio/minio
MinIO LDAP login brute-force via user enumeration and missing rate limit in github.com/minio/minio
GHSA
MinIO LDAP login brute-force via user enumeration and missing rate limit
ghsa·2026-03-20
CVE-2026-33419 [CRITICAL] CWE-204 MinIO LDAP login brute-force via user enumeration and missing rate limit
MinIO LDAP login brute-force via user enumeration and missing rate limit
### Impact
_What kind of vulnerability is it? Who is impacted?_
MinIO AIStor's STS (Security Token Service) `AssumeRoleWithLDAPIdentity` endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects.
All deployments with LDAP configured running an affected version are impacted.
There are two vulnerabilities:
1. User Enumeration via Distinguishabl
OSV
MinIO LDAP login brute-force via user enumeration and missing rate limit
osv·2026-03-20
CVE-2026-33419 [CRITICAL] MinIO LDAP login brute-force via user enumeration and missing rate limit
MinIO LDAP login brute-force via user enumeration and missing rate limit
### Impact
_What kind of vulnerability is it? Who is impacted?_
MinIO AIStor's STS (Security Token Service) `AssumeRoleWithLDAPIdentity` endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects.
All deployments with LDAP configured running an affected version are impacted.
There are two vulnerabilities:
1. User Enumeration via Distinguishabl
No detection rules found.
No public exploits indexed.
2026-03-24
Published