Cyber Resilience

CVE-2026-33419

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 31.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33419 is a critical-severity Observable Response Discrepancy (CWE-204) vulnerability in Minio Minio. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Account (T1087.002); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-6 (Authentication Feedback).

Deeper analysis

CVE-2026-33419 is a vulnerability in MinIO, a high-performance object storage system, specifically affecting the AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint in versions prior to RELEASE.2026-03-17T21-25-16Z. It stems from two combined weaknesses: distinguishable error responses that enable username enumeration (CWE-204) and the absence of rate limiting on authentication attempts (CWE-307), collectively allowing LDAP credential brute-forcing. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-24.

An unauthenticated network attacker can exploit this vulnerability by sending crafted requests to the endpoint to enumerate valid LDAP usernames based on differing error responses, followed by unlimited password guessing attempts against those accounts. If successful, the attacker obtains temporary AWS-style STS credentials, granting high-integrity access to the victim's S3 buckets and objects.

MinIO has patched this issue in release RELEASE.2026-03-17T21-25-16Z. Additional details on the vulnerability and mitigation are available in the security advisory at https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence…

more

of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087.002 Domain Account Discovery
Adversaries may attempt to get a listing of domain accounts.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vuln enables username enumeration via error responses (T1087.002) and unlimited password guessing (T1110.001) against public-facing MinIO STS endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33322Same product: Minio Minio
CVE-2026-41145Same product: Minio Minio
CVE-2026-40344Same product: Minio Minio
CVE-2026-34204Same product: Minio Minio
CVE-2026-42600Same product: Minio Minio
CVE-2026-27981Shared CWE-307
CVE-2025-12995Shared CWE-307
CVE-2026-33152Shared CWE-307
CVE-2025-66204Shared CWE-307
CVE-2024-9342Shared CWE-307

Affected Assets

minio
minio
≤ 2026-03-17t21-25-16z

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces limits and lockouts on unsuccessful logon attempts, directly mitigating the absence of rate limiting that enables unlimited LDAP credential brute-forcing in this CVE.

prevent

IA-6 obscures feedback of authentication information, preventing username enumeration through distinguishable error responses as exploited in this CVE.

prevent

SI-11 requires error messages that do not reveal exploitable information like valid usernames via response differences, directly addressing the information disclosure weakness (CWE-204) in this CVE.

References