Plattform
go
Komponente
github.com/minio/minio
Behoben in
2026.0.1
0.0.1
CVE-2026-33419 is a critical vulnerability affecting MinIO object storage. This flaw allows attackers to brute-force LDAP logins through user enumeration, bypassing authentication controls. The vulnerability impacts MinIO versions up to 0.0.0-20260212201848-7aac2a2c5b7c. A fix has been released in version RELEASE.2026-03-17T21-25-16Z.
The impact of CVE-2026-33419 is severe. Successful exploitation allows an attacker to gain unauthorized access to MinIO buckets and data stored within them. By systematically attempting LDAP credentials, an attacker can bypass authentication and compromise the entire storage system. This could lead to data breaches, data manipulation, and potentially complete system takeover. The lack of a rate limit exacerbates the risk, making it easier for attackers to automate the brute-force process and quickly identify valid credentials. The potential for widespread data exposure makes this a high-priority vulnerability to address.
CVE-2026-33419 was publicly disclosed on 2026-03-20. The vulnerability is considered high probability due to the ease of exploitation and the lack of built-in rate limiting. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk of exploitation. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Organizations heavily reliant on MinIO for data storage, particularly those using LDAP authentication for user access, are at significant risk. Environments with weak LDAP password policies or those lacking network segmentation are especially vulnerable. Shared hosting environments utilizing MinIO also pose a heightened risk due to potential cross-tenant exposure.
• linux / server:
journalctl -u minio -g ldap | grep "invalid credentials"• generic web:
curl -I https://<minio_endpoint>/ | grep 'Server: MinIO' #Verify MinIO version• linux / server:
ps aux | grep minio | grep ldap #Check for LDAP connectionsdisclosure
patch
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-33419 is to immediately upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict LDAP access to trusted networks using firewall rules. Implement multi-factor authentication (MFA) for LDAP users to add an additional layer of security. Monitor LDAP logs for suspicious activity, such as a high volume of failed login attempts. Consider implementing a WAF (Web Application Firewall) with rules to detect and block brute-force attempts. After upgrading, confirm the fix by attempting a brute-force LDAP login and verifying that authentication fails with appropriate rate limiting.
Actualice MinIO a la versión RELEASE.2026-03-17T21-25-16Z o posterior. Esta versión corrige la vulnerabilidad de fuerza bruta LDAP al implementar límites de velocidad y eliminar las respuestas de error distinguibles para la enumeración de usuarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33419 is a critical vulnerability in MinIO that allows attackers to brute-force LDAP logins due to a missing rate limit, potentially granting unauthorized access to stored data.
You are affected if you are running MinIO versions prior to RELEASE.2026-03-17T21-25-16Z and are using LDAP authentication.
Upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later. Consider temporary workarounds like restricting LDAP access and enabling MFA if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation, and proactive mitigation is recommended.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/minio/minio-security-advisories](https://docs.min.io/minio/minio-security-advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.