MinIO AIStor STS AssumeRoleWithLDAPIdentity Endpoint Brute-Force Vulnerability

A vulnerability exists in MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint, prior to RELEASE.2026-03-17T21-25-16Z. This vulnerability allows for LDAP credential brute-forcing, enabled by distinguishable error responses that permit username enumeration and a lack of rate limiting on authentication attempts. An unauthenticated network attacker can exploit this to enumerate valid LDAP usernames and perform unlimited password guessing, ultimately obtaining temporary AWS-style STS credentials. This access allows the attacker to interact with the victim's S3 buckets and objects.

Impact

Exploitation of this vulnerability allows an attacker to enumerate valid LDAP usernames and perform high-speed password brute-force attacks against these users. Successful exploitation leads to the acquisition of temporary AWS-style STS credentials, which can be used to access the victim's S3 resources.

Remediation

Users should upgrade to MinIO AIStor RELEASE.2026-03-17T21-25-16Z or later. If an immediate upgrade is not possible, network-level rate limiting can be implemented using a reverse proxy or WAF to restrict requests to the STS AssumeRoleWithLDAPIdentity endpoint. Additionally, firewall restrictions can be applied to limit access to trusted networks or IP ranges. Configuring account lockout policies on the LDAP server can also help, although this may cause denial-of-service for legitimate users.