CVE-2024-55949: MinIO Privilege Escalation Vulnerability

CVE-2024-55949 Overview

CVE-2024-55949 is a privilege escalation vulnerability in MinIO, a high-performance S3-compatible object store distributed under the GNU AGPLv3 license. The flaw resides in the Identity and Access Management (IAM) import API and affects all users running builds derived from commit 580d9db85e04f1b63cc2909af50f0ed08afa965f. An attacker with network access to a vulnerable MinIO deployment can elevate privileges through the IAM import endpoint, gaining unauthorized control over identity policies. The MinIO maintainers addressed the issue in commit f246c9053f9603e610d98439799bdd2a6b293427, shipped in RELEASE.2024-12-13T22-19-12Z. No workarounds exist, and upgrading is the only remediation path.

Critical Impact
Network-reachable attackers can escalate privileges through the IAM import API, compromising confidentiality and integrity of all stored objects and access policies.

Affected Products

MinIO builds from commit 580d9db85e04f1b63cc2909af50f0ed08afa965f onward
MinIO releases prior to RELEASE.2024-12-13T22-19-12Z
All deployments exposing the MinIO IAM import API to untrusted networks

Discovery Timeline

2024-12-16 - CVE-2024-55949 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-55949

Vulnerability Analysis

The vulnerability is classified as Improper Privilege Management [CWE-269]. MinIO exposes an IAM import API used to bulk-load users, groups, policies, and service accounts from a serialized archive. The import handler does not adequately constrain the privileges that calling identities may assign during import. As a result, a caller can submit IAM artifacts that grant elevated permissions beyond what the caller already holds, breaking the principle of least privilege within the MinIO identity model.

Because MinIO IAM data drives bucket policies, service account credentials, and STS-derived sessions, a successful exploit reshapes the authorization surface of the entire cluster. The attacker can craft policies that grant administrative access, read or modify any bucket, or mint long-lived service account credentials for continued access.

Root Cause

The regression was introduced in commit 580d9db85e04f1b63cc2909af50f0ed08afa965f, which altered the IAM import workflow. The import path failed to enforce that imported identities and policies remained at or below the caller's effective permission level. The fix in commit f246c9053f9603e610d98439799bdd2a6b293427 reintroduces the missing authorization checks during import processing.

Attack Vector

The attack vector is network-based and requires no user interaction. An adversary issues a crafted request to the IAM import endpoint of a reachable MinIO server. The request contains IAM definitions that map the caller to a higher-privileged policy or create new privileged service accounts. Once imported, the attacker authenticates with the elevated identity and accesses arbitrary buckets and administrative functions.

No verified exploit code is publicly available. See the MinIO Security Advisory GHSA-cwq8-g58r-32hg and the fix pull request #20756 for technical details.

Detection Methods for CVE-2024-55949

Indicators of Compromise

Unexpected requests to the MinIO IAM import API endpoint (/minio/admin/v3/import-iam) from unusual source addresses or service accounts
New or modified IAM policies, users, groups, or service accounts appearing without an authorized change ticket
Service accounts with consoleAdmin or equivalent administrative policies created outside normal provisioning workflows
Bucket policy changes immediately following an IAM import call

Detection Strategies

Audit MinIO server logs and admin API access logs for ImportIAM operations and correlate against authorized administrators
Inventory current IAM state and diff against a known-good baseline to identify unauthorized policy or account additions
Alert on creation of long-lived service accounts and on policy attachments that grant admin:* or s3:* actions

Monitoring Recommendations

Forward MinIO audit logs to a centralized analytics platform and retain at least 90 days of IAM administrative activity
Track the MinIO server Version header and startup banner to detect deployments still running pre-RELEASE.2024-12-13T22-19-12Z builds
Monitor outbound data transfer volumes from MinIO nodes for anomalies consistent with bulk object exfiltration following an IAM change

How to Mitigate CVE-2024-55949

Immediate Actions Required

Upgrade all MinIO servers to RELEASE.2024-12-13T22-19-12Z or later without delay
Restrict network access to MinIO administrative APIs to trusted management subnets and jump hosts
Rotate root credentials, access keys, and any service account secrets that may have been exposed since the vulnerable commit was deployed
Review IAM policies, users, groups, and service accounts for unauthorized changes and revert anything not tied to a sanctioned change record

Patch Information

The fix is included in MinIO RELEASE.2024-12-13T22-19-12Z, delivered by commit f246c9053f9603e610d98439799bdd2a6b293427. Operators using container images should pull the updated tag and redeploy. Operators using package distributions should upgrade to the matching release binary. Verify the running version after upgrade with mc admin info against each server.

Workarounds

No workarounds are available per the MinIO maintainers; upgrading is mandatory
As a temporary compensating control until upgrade, block external access to the IAM import API at the network or reverse-proxy layer and limit administrative endpoints to a bastion host

bash

# Verify the patched MinIO release is running
mc admin info ALIAS | grep -i version

# Expected output should reference RELEASE.2024-12-13T22-19-12Z or later