Brute-Force Vulnerability in MinIO's STS Endpoint
CVE-2026-33419

9.1CRITICAL

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-33419?

MinIO AIStor, a high-performance object storage system, has a security flaw in its Security Token Service (STS) within the AssumeRoleWithLDAPIdentity endpoint. This vulnerability stems from distinguishable error messages that facilitate username enumeration, coupled with a lack of rate limiting on authentication attempts. As a result, unauthorized attackers can exploit these weaknesses to identify valid LDAP usernames and conduct endless password guessing attempts to gain AWS-style STS credentials. This could lead to unauthorized access to the victim's S3 buckets and data. MinIO has addressed this issue in updates post RELEASE.2026-03-17T21-25-16Z.

Affected Version(s)

minio < RELEASE.2026-03-17T21-25-16Z

References

https://github.com/minio/minio/security/advisories/GHSA-j...

x_refsource_CONFIRM

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33419 Data

JSON

Minio

What is CVE-2026-33419?

Affected Version(s)

References

CVSS V4

Timeline