Introduction - Engaging opening that highlights real impact and significance
Service accounts intended to be tightly restricted can silently escalate to full parent privileges in MinIO object storage, undermining least privilege and exposing sensitive data to unauthorized access. Organizations relying on session or inline policies to contain the blast radius of credential compromise are directly affected, with risk extending to data modification, deletion, and unauthorized creation of objects.
MinIO is a widely used high-performance object storage system, compatible with Amazon S3 APIs and deployed in enterprise, government, and cloud-native environments. Its flexible IAM model and Kubernetes integration make it a popular choice for scalable, private cloud storage.
Technical Information
CVE-2025-62506 is a privilege escalation vulnerability in MinIO's Identity and Access Management (IAM) subsystem. The flaw exists in all versions prior to RELEASE.2025-10-15T17-29-55Z. It affects service accounts and Security Token Service (STS) accounts that are restricted by session or inline policies.
The vulnerability arises from incorrect policy validation logic when these restricted accounts perform operations on themselves, specifically when creating new service accounts for the same user. The IAM code incorrectly relies on the DenyOnly argument during session policy validation. Instead of checking if an action is explicitly allowed by the session policy, it only checks that the action is not explicitly denied. This means that if a session policy is present, and it does not explicitly deny the creation of a service account, the action is permitted—even if it is not explicitly allowed.
As a result, an attacker with valid credentials for a restricted service or STS account can create a new service account for themselves. The new account is created without the policy restrictions of the original account and instead inherits the full privileges of the parent user. This bypasses the intended security controls, allowing the attacker to access, modify, delete, or create objects and buckets outside their authorized scope.
The root cause is the use of DenyOnly logic in session policy validation, which breaks the intended intersection of session and base policies. The fix, implemented in pull request #21642, ensures that session policy validation requires actions to be explicitly allowed, not just not denied.
Affected Systems and Versions (MUST BE SPECIFIC)
- Product: MinIO object storage
- Affected versions: All versions prior to RELEASE.2025-10-15T17-29-55Z
- Vulnerable configurations: Any deployment using service accounts or STS accounts with restricted session or inline policies
Vendor Security History (only if specific information available)
MinIO has a documented history of IAM-related vulnerabilities:
- CVE-2024-24747: Privilege escalation via admin:UpdateServiceAccount permission inheritance
- CVE-2024-55949: IAM import API privilege escalation
The vendor typically responds rapidly to disclosures with detailed advisories and patches. However, the recurrence of IAM logic flaws highlights ongoing complexity and risk in their access control implementation.