Privilege Escalation Vulnerability in MinIO Object Storage System
CVE-2025-62506

8.1HIGH

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
16 October 2025

What is CVE-2025-62506?

A privilege escalation vulnerability exists in MinIO, a high-performance object storage system, in all versions prior to RELEASE.2025-10-15T17-29-55Z. This flaw allows service accounts and STS accounts with limited session policies to circumvent these restrictions when creating new service accounts for the same user. The vulnerability lies in the IAM policy validation logic, which improperly relies on the DenyOnly argument during the session policy validation process. An attacker possessing valid credentials for a restricted service or STS account can exploit this issue, resulting in the creation of a new service account without the intended policy limitations. This grants the attacker unwarranted access to buckets and objects, enabling them to modify, delete, or create items outside their authorized permissions.

Affected Version(s)

minio < RELEASE.2025-10-15T17-29-55Z

References

https://github.com/minio/minio/security/advisories/GHSA-j...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/21642
x_refsource_MISC
https://github.com/minio/minio/commit/c1a49490c78e9c3ebca...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62506 : Privilege Escalation Vulnerability in MinIO Object Storage System