CVE-2026-33419
CVE-2026-33419 is a high-severity vulnerability in Minio with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-204.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v4: 9.1
- EPSS exploit prediction: 0% (31st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-15000
- Weakness: CWE-204
- Affected product: Minio
- Published:
- Last modified:
Description
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
Frequently asked questions
- What is CVE-2026-33419?
- MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
- How severe is CVE-2026-33419?
- CVE-2026-33419 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-33419 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-33419?
- CVE-2026-33419 affects Minio. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-33419?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-33419 have an EU (EUVD) identifier?
- Yes. CVE-2026-33419 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-15000.
- When was CVE-2026-33419 published?
- CVE-2026-33419 was published on 2026-03-24 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
More vulnerabilities in Minio
- CVE-2026-33322 — Critical (CVSS 9.8): MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before…
- CVE-2020-11012 — Critical (CVSS 9.3): MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an…
- CVE-2024-24747 — High (CVSS 8.8): MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the…
- CVE-2023-28434 — High (CVSS 8.8): Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted…
- CVE-2023-28433 — High (CVSS 8.8): Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are…
- CVE-2022-24842 — High (CVSS 8.8): MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was…
Other CWE-204 vulnerabilities
- CVE-2018-25350 — Critical (CVSS 9.8): userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid…
- CVE-2025-5485 — High (CVSS 8.6): User names used to access the web management interface are limited to the device identifier, which is a numerical…
- CVE-2025-12455 — High (CVSS 7.5): Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing. The…
- CVE-2025-46390 — High (CVSS 7.5): CWE-204: Observable Response Discrepancy
- CVE-2025-3092 — High (CVSS 7.5): An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
- CVE-2026-4113 — High (CVSS 7.2): An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to…