Platform
go
Component
github.com/minio/minio
Fixed in
2026.0.1
0.0.1
CVE-2026-33419 is a critical vulnerability affecting MinIO object storage. This flaw allows attackers to brute-force LDAP logins through user enumeration, bypassing authentication controls. The vulnerability impacts MinIO versions up to 0.0.0-20260212201848-7aac2a2c5b7c. A fix has been released in version RELEASE.2026-03-17T21-25-16Z.
The impact of CVE-2026-33419 is severe. Successful exploitation allows an attacker to enumerate valid LDAP users and then brute-force their credentials. This can lead to unauthorized access to MinIO buckets, potentially exposing sensitive data stored within. The lack of a rate limit exacerbates the risk, enabling rapid attempts to guess passwords. Compromise of MinIO could also facilitate lateral movement within the network if the storage is integrated with other systems, as attackers could leverage stolen credentials to access other resources. The blast radius extends to any data stored in MinIO, including backups, archives, and application data.
CVE-2026-33419 was publicly disclosed on March 20, 2026. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33419 is to immediately upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting LDAP access to trusted networks using firewall rules, and enabling multi-factor authentication (MFA) for LDAP users. Monitor LDAP logs for suspicious login attempts and implement rate limiting at the LDAP server level if possible. After upgrading, verify the fix by attempting a brute-force LDAP login from an unauthorized source; successful authentication should be prevented.
Update MinIO to version RELEASE.2026-03-17T21-25-16Z or later. This version fixes the LDAP brute-force vulnerability by implementing rate limits and removing distinguishable error responses for user enumeration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33419 is a critical vulnerability in MinIO that allows attackers to brute-force LDAP logins due to a missing rate limit, potentially granting unauthorized access to stored data.
You are affected if you are running MinIO versions prior to RELEASE.2026-03-17T21-25-16Z and are using LDAP authentication.
Upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later. Consider temporary workarounds like restricting LDAP access and enabling MFA if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation, and proactive mitigation is recommended.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/minio/minio-security-advisories](https://docs.min.io/minio/minio-security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.