Vulnerability-Lookup

CVE-2026-33322 (GCVE-0-2026-33322)

Vulnerability from cvelistv5 – Published: 2026-03-24 19:05 – Updated: 2026-03-25 14:28

Title

MinIO: JWT Algorithm Confusion in OIDC Authentication

Summary

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

https://github.com/minio/minio/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	minio	minio	Affected: >= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33322",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:00:14.071665Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:28:14.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minio",
          "vendor": "minio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= RELEASE.2022-11-08T05-27-07Z, \u003c RELEASE.2026-03-17T21-25-16Z"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO\u0027s OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T19:05:04.705Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"
        }
      ],
      "source": {
        "advisory": "GHSA-5cx5-wh4m-82fh",
        "discovery": "UNKNOWN"
      },
      "title": "MinIO: JWT Algorithm Confusion in OIDC Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33322",
    "datePublished": "2026-03-24T19:05:04.705Z",
    "dateReserved": "2026-03-18T21:23:36.677Z",
    "dateUpdated": "2026-03-25T14:28:14.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33322\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T20:16:27.857\",\"lastModified\":\"2026-04-08T19:05:00.710\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO\u0027s OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.\"},{\"lang\":\"es\",\"value\":\"MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Desde RELEASE.2022-11-08T05-27-07Z hasta antes de RELEASE.2026-03-17T21-25-16Z, una vulnerabilidad de confusi\u00f3n de algoritmo JWT en la autenticaci\u00f3n OpenID Connect de MinIO permite a un atacante que conoce el OIDC ClientSecret forjar tokens de identidad arbitrarios y obtener credenciales S3 con cualquier pol\u00edtica, incluyendo consoleAdmin. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2022-11-08t05-27-07z\",\"versionEndExcluding\":\"2026-03-17t21-25-16z\",\"matchCriteriaId\":\"EF0498AE-5809-41DD-A2B5-FCFF799B18F2\"}]}]}],\"references\":[{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33322\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T14:00:14.071665Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T14:00:25.744Z\"}}], \"cna\": {\"title\": \"MinIO: JWT Algorithm Confusion in OIDC Authentication\", \"source\": {\"advisory\": \"GHSA-5cx5-wh4m-82fh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"minio\", \"product\": \"minio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= RELEASE.2022-11-08T05-27-07Z, \u003c RELEASE.2026-03-17T21-25-16Z\"}]}], \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO\u0027s OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-24T19:05:04.705Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33322\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T14:28:14.561Z\", \"dateReserved\": \"2026-03-18T21:23:36.677Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-24T19:05:04.705Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33322

Vulnerability from fkie_nvd - Published: 2026-03-24 20:16 - Updated: 2026-04-08 19:05

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh	Vendor Advisory

Impacted products

	Vendor	Product	Version
	minio	minio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF0498AE-5809-41DD-A2B5-FCFF799B18F2",
              "versionEndExcluding": "2026-03-17t21-25-16z",
              "versionStartIncluding": "2022-11-08t05-27-07z",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO\u0027s OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."
    },
    {
      "lang": "es",
      "value": "MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Desde RELEASE.2022-11-08T05-27-07Z hasta antes de RELEASE.2026-03-17T21-25-16Z, una vulnerabilidad de confusi\u00f3n de algoritmo JWT en la autenticaci\u00f3n OpenID Connect de MinIO permite a un atacante que conoce el OIDC ClientSecret forjar tokens de identidad arbitrarios y obtener credenciales S3 con cualquier pol\u00edtica, incluyendo consoleAdmin. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z."
    }
  ],
  "id": "CVE-2026-33322",
  "lastModified": "2026-04-08T19:05:00.710",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-24T20:16:27.857",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-5CX5-WH4M-82FH

Vulnerability from github – Published: 2026-03-19 17:56 – Updated: 2026-03-27 21:57

Summary

MinIO has JWT Algorithm Confusion in OIDC Authentication

Details

Impact

What kind of vulnerability is it? Who is impacted?

A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin.

An attacker with knowledge of the OIDC ClientSecret can:

Impersonate any user identity
Obtain S3 credentials with any IAM policy, including consoleAdmin
Access, modify, or delete any data in the MinIO deployment

The attack is deterministic (100% success rate, no race conditions).

Attack Prerequisites

The attacker must know the OIDC ClientSecret. While this is a shared credential (not a private key), it is more accessible than commonly assumed:

CVE-2023-28432 previously leaked environment variables including MINIO_IDENTITY_OPENID_CLIENT_SECRET
Client secrets are often present in frontend OAuth configurations, mobile app bundles, CI/CD pipelines, and shared configuration files
In many organizations, the client secret is accessible to operators and engineers who should not be able to forge arbitrary identities

Affected Versions

All MinIO releases from RELEASE.2022-11-08T05-27-07Z through the final release of the minio/minio open-source project.

Patches

Fixed in: MinIO AIStor RELEASE.2026-03-17T21-25-16Z

Downloads

Binary Downloads

Platform	Architecture	Download
Linux	amd64	minio
Linux	arm64	minio
macOS	arm64	minio
macOS	amd64	minio
Windows	amd64	minio.exe

FIPS Binaries

Platform	Architecture	Download
Linux	amd64	minio.fips
Linux	arm64	minio.fips

Package Downloads

Format	Architecture	Download
DEB	amd64	minio_20260317212516.0.0_amd64.deb
DEB	arm64	minio_20260317212516.0.0_arm64.deb
RPM	amd64	minio-20260317212516.0.0-1.x86_64.rpm
RPM	arm64	minio-20260317212516.0.0-1.aarch64.rpm

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-03-17T21-25-16Z or later.
As a workaround, ensure that the OIDC ClientSecret is treated as a highly sensitive credential and is not exposed to untrusted parties.

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:56:37Z",
    "nvd_published_at": "2026-03-24T20:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA JWT algorithm confusion vulnerability in MinIO\u0027s OpenID Connect authentication allows an attacker who knows the OIDC `ClientSecret` to forge arbitrary identity tokens and obtain S3 credentials with any policy, including `consoleAdmin`.\n\nAn attacker with knowledge of the OIDC `ClientSecret` can:\n\n- Impersonate any user identity\n- Obtain S3 credentials with any IAM policy, including `consoleAdmin`\n- Access, modify, or delete any data in the MinIO deployment\n\nThe attack is deterministic (100% success rate, no race conditions).\n\n#### Attack Prerequisites\n\nThe attacker must know the OIDC `ClientSecret`. While this is a shared credential (not a private key), it is more accessible than commonly assumed:\n\n- CVE-2023-28432 previously leaked environment variables including `MINIO_IDENTITY_OPENID_CLIENT_SECRET`\n- Client secrets are often present in frontend OAuth configurations, mobile app bundles, CI/CD pipelines, and shared configuration files\n- In many organizations, the client secret is accessible to operators and engineers who should not be able to forge arbitrary identities\n\n\n#### Affected Versions\n\nAll MinIO releases from `RELEASE.2022-11-08T05-27-07Z` through the final release of the `minio/minio` open-source project.\n\n### Patches\n\n**Fixed in:** MinIO AIStor `RELEASE.2026-03-17T21-25-16Z`\n\n## Downloads\n\n### Binary Downloads\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio)           |\n| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio)           |\n| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio)          |\n| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio)          |\n| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n### FIPS Binaries\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n### Package Downloads\n\n| Format | Architecture | Download                                                                                                                            |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB    | amd64        | [minio_20260317212516.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260317212516.0.0_amd64.deb)         |\n| DEB    | arm64        | [minio_20260317212516.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260317212516.0.0_arm64.deb)         |\n| RPM    | amd64        | [minio-20260317212516.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260317212516.0.0-1.x86_64.rpm)   |\n| RPM    | arm64        | [minio-20260317212516.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260317212516.0.0-1.aarch64.rpm) |\n\n### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\n```\n\n### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-17T21-25-16Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n- As a workaround, ensure that the OIDC `ClientSecret` is treated as a highly sensitive credential and is not exposed to untrusted parties.",
  "id": "GHSA-5cx5-wh4m-82fh",
  "modified": "2026-03-27T21:57:21Z",
  "published": "2026-03-19T17:56:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33322"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MinIO has JWT Algorithm Confusion in OIDC Authentication"
}

bit-minio-2026-33322

Vulnerability from bitnami_vulndb

Published

2026-03-27 07:07

Modified

2026-03-27 07:40

Summary

MinIO: JWT Algorithm Confusion in OIDC Authentication

Details

MinIO is a high-performance object storage system. From 2022.11.08 to before 2026.03.17, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in 2026.03.17.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "minio",
        "purl": "pkg:bitnami/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2022.11.08"
            },
            {
              "fixed": "2026.03.17"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "type": "CVSS_V4"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33322"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:minio:minio:*:*:*:*:*:go:*:*"
    ],
    "severity": "Critical"
  },
  "details": "MinIO is a high-performance object storage system. From 2022.11.08 to before 2026.03.17, a JWT algorithm confusion vulnerability in MinIO\u0027s OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in 2026.03.17.",
  "id": "BIT-minio-2026-33322",
  "modified": "2026-03-27T07:40:55.991Z",
  "published": "2026-03-27T07:07:59.802Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33322"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "MinIO: JWT Algorithm Confusion in OIDC Authentication"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33322 (GCVE-0-2026-33322)

FKIE_CVE-2026-33322

GHSA-5CX5-WH4M-82FH

Impact

Attack Prerequisites

Affected Versions

Patches

Downloads

Binary Downloads

FIPS Binaries

Package Downloads

Container Images

Homebrew (macOS)

Workarounds

bit-minio-2026-33322

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature