{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33419", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.431Z", "datePublished": "2026-03-24T19:05:30.937Z", "dateUpdated": "2026-03-25T13:24:44.452Z"}, "containers": {"cna": {"title": "MinIO: LDAP login brute-force via user enumeration and missing rate limit", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": "< RELEASE.2026-03-17T21-25-16Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:05:30.937Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "source": {"advisory": "GHSA-jv87-32hw-hh99", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:23:54.467588Z", "id": "CVE-2026-33419", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:24:44.452Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33419", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.431Z", "datePublished": "2026-03-24T19:05:30.937Z", "dateUpdated": "2026-03-25T13:24:44.452Z"}, "containers": {"cna": {"title": "MinIO: LDAP login brute-force via user enumeration and missing rate limit", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": "< RELEASE.2026-03-17T21-25-16Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:05:30.937Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "source": {"advisory": "GHSA-jv87-32hw-hh99", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:23:54.467588Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:24:34.367Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "id": "CVE-2026-33419", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:29.900", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}, {"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,RELEASE.2026-03-17T21-25-16Z)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "minio", "source": "cna", "vendor": "minio"}, "product": "minio", "vendor": "minio"}], "analysis": {"en": {"generated_at": "2026-03-24T20:50:48.641280+00:00", "value": {"mitigation_remediation": ["Upgrade MinIO to RELEASE.2026-03-17T21-25-16Z or later", "Restrict unauthenticated access to the STS AssumeRoleWithLDAPIdentity endpoint", "Implement network rate limiting or firewall rules to limit traffic to the STS endpoint", "Monitor logs for failed authentication attempts and anomalous enumeration patterns"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access to S3 Buckets"}, "threat_synthesis": {"affected_systems": "Any instance of the MinIO product running a version earlier than RELEASE.2026\u201103\u201117T21\u201125\u201116Z is affected. The vulnerability exists in the STS AssumeRoleWithLDAPIdentity endpoint of MinIO AIStor and has been patched in the 2026\u201103\u201117 release. Users should confirm the deployed version and apply the update if necessary.", "description_and_impact": "MinIO\u2019s Security Token Service is vulnerable through its AssumeRoleWithLDAPIdentity endpoint, allowing an unauthenticated attacker to distinguish valid LDAP usernames from error responses. The service also lacks any rate limiting, giving the attacker the ability to attempt unlimited password guesses. If the attacker successfully authenticates, they receive temporary AWS\u2011style STS credentials that provide access to the victim\u2019s S3 buckets and objects.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high\u2011severity flaw. The EPSS score is not available, and the vulnerability does not appear in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is over the network to the STS endpoint, with the attacker requiring only public network access to the affected service. The lack of rate limiting combined with username enumeration makes successful exploitation highly feasible, posing a significant risk to data confidentiality."}}}}, "created": "2026-03-25T11:46:23.870857+00:00", "updated": "2026-03-25T20:57:49.414819+00:00", "vendors": ["minio", "minio$PRODUCT$minio"]}