CVE-2026-33419

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2026-03-17T21-25-16Z

Description The MinIO AIStor Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint is susceptible to LDAP credential brute-forcing. This is due to a combination of distinguishable error responses that allow for username enumeration and the absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then attempt unlimited password guesses to obtain temporary AWS-style STS credentials, potentially gaining access to the victim's S3 buckets and objects. The issue involves two weaknesses: user enumeration via distinguishable error messages and missing rate limiting on STS authentication endpoints. Exploitation allows an attacker to enumerate valid LDAP usernames, perform high-speed password brute-force attacks, and, upon success, obtain temporary AWS-style STS credentials with full access to the victim user's S3 resources. The API endpoint /Action=AssumeRoleWithLDAPIdentity is involved in this issue.

Recommendations Upgrade to MinIO AIStor RELEASE.2026-03-17T21-25-16Z or later. If upgrading is not immediately possible, implement network-level rate limiting on requests to the /Action=AssumeRoleWithLDAPIdentity endpoint. If upgrading is not immediately possible, restrict access to the STS endpoint to trusted networks/IP ranges only. If upgrading is not immediately possible, configure account lockout policies on the LDAP server.