Privilege Escalation Flaw Discovered in MinIO Service Accounts — CVE-2025-62506

The developers of MinIO, a popular high-performance, S3-compatible object storage platform, have issued a critical security advisory addressing a privilege escalation vulnerability (CVE-2025-62506, CVSS 8.1) that could allow attackers to bypass session policy restrictions and gain elevated permissions through service accounts and security tokens.

“A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing ‘own’ account operations, specifically when creating new service accounts for the same user,” the MinIO team wrote in its advisory.

The flaw resides in MinIO’s IAM policy validation logic located in cmd/iam.go. During validation, the system incorrectly relied on a parameter called DenyOnly, which determines whether certain self-service actions should bypass standard access policy checks.

“The vulnerability exists in the IAM policy validation logic in cmd/iam.go. When validating session policies for restricted accounts performing operations on their own account (such as creating service accounts), the code incorrectly relied on the DenyOnly argument,” MinIO explained.

Essentially, when a restricted session policy (sub-policy) is applied, the system should validate whether the requested action is explicitly allowed — not just confirm that it isn’t denied. However, the flawed logic failed to enforce that requirement, allowing users with limited privileges to escalate their permissions inadvertently.

MinIO outlined a clear example of how an attacker could exploit this misconfiguration:

1. An administrator creates a service or STS account with a restricted inline policy (e.g., access limited to bucket1 and bucket2).
2. The restricted account then creates a new service account under the same parent user without applying any policy restrictions.
3. Due to the policy bypass, the newly created service account inherits full parent privileges instead of being bound by the original restrictions.
4. The attacker can now perform unauthorized actions across the storage system, such as reading, modifying, or deleting objects in other buckets.

The vulnerability is considered high severity due to its low complexity and high confidentiality and integrity impact.

“Exploitation requires only valid credentials for a restricted service/STS account,” MinIO noted. “Attackers can access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope.”

While the flaw does not directly affect availability, its ability to silently expand data access privileges makes it a serious concern for cloud and AI/ML workloads relying on MinIO’s storage APIs.

The issue was fixed in pull request #21642 and committed under c1a4949 on the official MinIO repository.

Users are advised to immediately upgrade to the latest stable version:

go install -v github.com/minio/minio@RELEASE.2025-10-15T17-29-55Z

MinIO recommends administrators take the following steps to secure affected deployments:

• Upgrade MinIO — Update to the latest release containing the patch.
• Audit Service Accounts — Review all service accounts created by non-admin users to ensure compliance with expected privileges.
• Revoke Suspicious Accounts — Delete any potentially unauthorized or unrestricted service accounts.
• Review Access Logs — Check for unusual access attempts or actions against sensitive buckets.

Related Posts:

• MinIO Urgently Patches High-Severity Incomplete Signature Validation Vulnerability
• CISA warns of MinIO privilege escalation flaw exploited in attacks
• CVE-2024-55949 (CVSS 9.3): Critical MinIO Flaw Allows Any User to Gain Full Admin Privileges
• High severity security vulnerability in MinIO
• Google to Offer Gemini AI to Kids Under 13 with Parental Controls