IRONSMITHINTEL
HIGHCVSS7.5
|
Actively Exploited
|CISA KEV|CVE-2023-28432|Auth: none — unauthenticated|Reboot: required|Manual only

MinIO Information Disclosure Vulnerability

MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure.

Published Mar 22, 2023 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss. Federal agencies are required to remediate by 2023-05-12 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Information Disclosure (CWE-200) vulnerability in MinIO MinIO. Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running minio: 2019-12-17t23-16-33z ≤ v < 2023-03-20t20-16-18z
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2023-28432
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28432
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-28432NVDVendor Advisory