Vulnerability Description
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Minio | Minio | < 2026-03-17t21-25-16z |
Related Weaknesses (CWE)
References
- https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99PatchVendor Advisory
FAQ
What is CVE-2026-33419?
CVE-2026-33419 is a vulnerability with a CVSS score of 7.5 (HIGH). MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credenti...
How severe is CVE-2026-33419?
CVE-2026-33419 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33419?
Check the references section above for vendor advisories and patch information. Affected products include: Minio Minio.