CVE-2026-33322
published 2026-03-24CVE-2026-33322: MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion…
PriorityP359critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.41%
32.7th percentile
MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | 0 – 0.0.0-20260212201848-7aac2a2c5b7c | — |
| minio | minio | — | — |
| minio | minio | >= 2022-11-08t05-27-07z < 2026-03-17t21-25-16z | 2026-03-17t21-25-16z |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MinIO has JWT Algorithm Confusion in OIDC Authentication in github.com/minio/minio
osv·2026-03-23
CVE-2026-33322 MinIO has JWT Algorithm Confusion in OIDC Authentication in github.com/minio/minio
MinIO has JWT Algorithm Confusion in OIDC Authentication in github.com/minio/minio
MinIO has JWT Algorithm Confusion in OIDC Authentication in github.com/minio/minio
GHSA
MinIO has JWT Algorithm Confusion in OIDC Authentication
ghsa·2026-03-19·CVSS 7.5
CVE-2026-33322 [HIGH] CWE-287 MinIO has JWT Algorithm Confusion in OIDC Authentication
MinIO has JWT Algorithm Confusion in OIDC Authentication
### Impact
_What kind of vulnerability is it? Who is impacted?_
A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC `ClientSecret` to forge arbitrary identity tokens and obtain S3 credentials with any policy, including `consoleAdmin`.
An attacker with knowledge of the OIDC `ClientSecret` can:
- Impersonate any user identity
- Obtain S3 credentials with any IAM policy, including `consoleAdmin`
- Access, modify, or delete any data in the MinIO deployment
The attack is deterministic (100% success rate, no race conditions).
#### Attack Prerequisites
The attacker must know the OIDC `ClientSecret`. While this is a shared credential (not a private key), it is more acc
OSV
MinIO has JWT Algorithm Confusion in OIDC Authentication
osv·2026-03-19·CVSS 7.5
CVE-2026-33322 [HIGH] MinIO has JWT Algorithm Confusion in OIDC Authentication
MinIO has JWT Algorithm Confusion in OIDC Authentication
### Impact
_What kind of vulnerability is it? Who is impacted?_
A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC `ClientSecret` to forge arbitrary identity tokens and obtain S3 credentials with any policy, including `consoleAdmin`.
An attacker with knowledge of the OIDC `ClientSecret` can:
- Impersonate any user identity
- Obtain S3 credentials with any IAM policy, including `consoleAdmin`
- Access, modify, or delete any data in the MinIO deployment
The attack is deterministic (100% success rate, no race conditions).
#### Attack Prerequisites
The attacker must know the OIDC `ClientSecret`. While this is a shared credential (not a private key), it is more acc
No detection rules found.
No public exploits indexed.
2026-03-24
Published