Description
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
Published: 2026-03-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation and data exfiltration via unauthorized STS credentials
Action: Immediate Patch
AI Analysis

Impact

MinIO's STS AssumeRoleWithLDAPIdentity endpoint allowed attackers to brute‑force LDAP credentials because the service returned distinguishable error messages that exposed valid usernames and did not enforce any rate limiting. By enumerating legitimate LDAP accounts and then guessing passwords without restriction, an unauthenticated attacker could obtain temporary AWS‑style STS credentials that grant access to the victim’s S3 buckets and objects. This vulnerability enables non‑privileged users to gain full access to stored data, leading to potential data theft or tampering.

Affected Systems

The flaw exists in all MinIO releases prior to RELEASE.2026-03-17T21-25-16Z. Systems running MinIO object storage with the STS AssumeRoleWithLDAPIdentity service enabled are vulnerable. The issue is specific to the MinIO product and not to other LDAP‑enabled applications.

Risk and Exploitability

The CVSS score of 9.1 classifies the vulnerability as critical. The EPSS score of less than 1% suggests low current exploitation likelihood, but the vulnerability is not listed in the CISA KEV catalog. Attackers would need network access to the MinIO endpoint; the attack vector is inferred to be external network attacks that can reach the object storage service.

Generated by OpenCVE AI on April 8, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If an upgrade cannot be performed immediately, configure the LDAP server to enforce account lockout or rate limiting after a predefined number of failed attempts.
  • Restrict the AssumeRoleWithLDAPIdentity endpoint to trusted IP ranges or require additional authentication steps.
  • Monitor MinIO logs for repeated failed login attempts or enumeration patterns and respond accordingly.

Generated by OpenCVE AI on April 8, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jv87-32hw-hh99 MinIO LDAP login brute-force via user enumeration and missing rate limit
History

Wed, 08 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Minio
Minio minio
Vendors & Products Minio
Minio minio

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
Title MinIO: LDAP login brute-force via user enumeration and missing rate limit
Weaknesses CWE-204
CWE-307
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Minio Minio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:24:44.452Z

Reserved: 2026-03-19T18:45:22.431Z

Link: CVE-2026-33419

cve-icon Vulnrichment

Updated: 2026-03-25T13:24:34.367Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:29.900

Modified: 2026-04-08T19:00:39.203

Link: CVE-2026-33419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:36Z

Weaknesses