CVE-2026-33419
Published: 24 March 2026
Summary
CVE-2026-33419 is a high-severity Observable Response Discrepancy (CWE-204) vulnerability in Minio Minio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Account (T1087.002); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-6 (Authentication Feedback).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 enforces limits and lockouts on unsuccessful logon attempts, directly mitigating the absence of rate limiting that enables unlimited LDAP credential brute-forcing in this CVE.
IA-6 obscures feedback of authentication information, preventing username enumeration through distinguishable error responses as exploited in this CVE.
SI-11 requires error messages that do not reveal exploitable information like valid usernames via response differences, directly addressing the information disclosure weakness (CWE-204) in this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables username enumeration via error responses (T1087.002) and unlimited password guessing (T1110.001) against public-facing MinIO STS endpoint (T1190).
NVD Description
MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence…
more
of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
Deeper analysisAI
CVE-2026-33419 is a vulnerability in MinIO, a high-performance object storage system, specifically affecting the AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint in versions prior to RELEASE.2026-03-17T21-25-16Z. It stems from two combined weaknesses: distinguishable error responses that enable username enumeration (CWE-204) and the absence of rate limiting on authentication attempts (CWE-307), collectively allowing LDAP credential brute-forcing. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-24.
An unauthenticated network attacker can exploit this vulnerability by sending crafted requests to the endpoint to enumerate valid LDAP usernames based on differing error responses, followed by unlimited password guessing attempts against those accounts. If successful, the attacker obtains temporary AWS-style STS credentials, granting high-integrity access to the victim's S3 buckets and objects.
MinIO has patched this issue in release RELEASE.2026-03-17T21-25-16Z. Additional details on the vulnerability and mitigation are available in the security advisory at https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99.
Details
- CWE(s)