BIT-minio-2026-33419

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/minio/BIT-minio-2026-33419.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-minio-2026-33419

Aliases

Published

2026-03-27T07:08:02.540Z

Modified

2026-03-27T08:56:21.590158Z

Summary

MinIO: LDAP login brute-force via user enumeration and missing rate limit

Details

MinIO is a high-performance object storage system. Prior to 2026.03.17, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in 2026.03.17.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:minio:minio:*:*:*:*:*:go:*:*"
    ]
}

References

Affected packages

Bitnami / minio

Package

Name: minio
Purl: pkg:bitnami/minio

Severity

9.1 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.03.17

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/minio/BIT-minio-2026-33419.json"