CVE-2026-33419
HIGHMinIO: LDAP login brute-force via user enumeration and missing rate limit
Title source: cnaDescription
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99
Scores
CVSS v3
7.5
EPSS
0.0039
EPSS Percentile
30.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-204
CWE-307
Status
published
Products (3)
minio/minio
< 2026-03-17t21-25-16z
minio/minio
0Go
minio/minio
< RELEASE.2026-03-17T21-25-16Z
Published
Mar 24, 2026
Tracked Since
Mar 25, 2026