Summary
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260317212516.0.0_amd64.deb |
| DEB | arm64 | minio_20260317212516.0.0_arm64.deb |
| RPM | amd64 | minio-20260317212516.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260317212516.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
- Network-level rate limiting: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the
/?Action=AssumeRoleWithLDAPIdentityendpoint. - Firewall restrictions: Restrict access to the STS endpoint to trusted networks/IP ranges only.
- LDAP account lockout: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.
Impact
What kind of vulnerability is it? Who is impacted?
MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects.
All deployments with LDAP configured running an affected version are impacted.
There are two vulnerabilities:
- User Enumeration via Distinguishable Error Messages (CWE-204)
- Missing Rate Limiting on STS Authentication Endpoints (CWE-307)
When exploited together, an attacker can:
- Enumerate valid LDAP usernames by observing error message differences.
- Perform high-speed password brute-force attacks against confirmed valid users.
- Upon finding valid credentials, obtain temporary AWS-style STS credentials (
AccessKeyId,SecretAccessKey,SessionToken) with full access to the victim user's S3 resources.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in: MinIO AIStor RELEASE.2026-03-17T21-25-16Z
Frequently Asked Questions
- What is CVE-2026-33419? CVE-2026-33419 is a critical-severity security vulnerability in github.com/minio/minio (go), affecting versions <= 0.0.0-20260212201848-7aac2a2c5b7c. No fixed version is listed yet.
- Which versions of github.com/minio/minio are affected by CVE-2026-33419? github.com/minio/minio (go) versions <= 0.0.0-20260212201848-7aac2a2c5b7c is affected.
- Is there a fix for CVE-2026-33419? No fixed version is listed for CVE-2026-33419 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33419 exploitable, and should I be worried? Whether CVE-2026-33419 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33419 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.