プラットフォーム
go
コンポーネント
github.com/minio/minio
修正版
2026.0.1
0.0.1
CVE-2026-33419 is a critical vulnerability affecting MinIO object storage. This flaw allows attackers to brute-force LDAP logins through user enumeration, bypassing authentication controls. The vulnerability impacts MinIO versions up to 0.0.0-20260212201848-7aac2a2c5b7c. A fix has been released in version RELEASE.2026-03-17T21-25-16Z.
The impact of CVE-2026-33419 is severe. Successful exploitation allows an attacker to enumerate valid LDAP users and then brute-force their credentials. This can lead to unauthorized access to MinIO buckets, potentially exposing sensitive data stored within. The lack of a rate limit exacerbates the risk, enabling rapid attempts to guess passwords. Compromise of MinIO could also facilitate lateral movement within the network if the storage is integrated with other systems, as attackers could leverage stolen credentials to access other resources. The blast radius extends to any data stored in MinIO, including backups, archives, and application data.
CVE-2026-33419 was publicly disclosed on March 20, 2026. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on MinIO for data storage, particularly those using LDAP authentication for user access, are at significant risk. Environments with weak LDAP password policies or those lacking network segmentation are especially vulnerable. Shared hosting environments utilizing MinIO also pose a heightened risk due to potential cross-tenant exposure.
• linux / server:
journalctl -u minio -g ldap | grep "invalid credentials"• generic web:
curl -I https://<minio_endpoint>/ | grep 'Server: MinIO' #Verify MinIO version• linux / server:
ps aux | grep minio | grep ldap #Check for LDAP connectionsdisclosure
patch
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-33419 is to immediately upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting LDAP access to trusted networks using firewall rules, and enabling multi-factor authentication (MFA) for LDAP users. Monitor LDAP logs for suspicious login attempts and implement rate limiting at the LDAP server level if possible. After upgrading, verify the fix by attempting a brute-force LDAP login from an unauthorized source; successful authentication should be prevented.
Actualice MinIO a la versión RELEASE.2026-03-17T21-25-16Z o posterior. Esta versión corrige la vulnerabilidad de fuerza bruta LDAP al implementar límites de velocidad y eliminar las respuestas de error distinguibles para la enumeración de usuarios.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33419 is a critical vulnerability in MinIO that allows attackers to brute-force LDAP logins due to a missing rate limit, potentially granting unauthorized access to stored data.
You are affected if you are running MinIO versions prior to RELEASE.2026-03-17T21-25-16Z and are using LDAP authentication.
Upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later. Consider temporary workarounds like restricting LDAP access and enabling MFA if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation, and proactive mitigation is recommended.
Refer to the official MinIO security advisory for detailed information and updates: [https://docs.min.io/minio/minio-security-advisories](https://docs.min.io/minio/minio-security-advisories)
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。