MinIO: JWT Algorithm Confusion in OIDC Authentication_CVE-2026-33322

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

Basic Information

ID CVE-2026-33322

Source GitHub_M

Published Mar 24, 2026 at 19:05

Modified Mar 25, 2026 at 14:28

Affected Product

Vendor minio

Product minio

Version >= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z

Affected Versions minio minio >= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z

CWE Classification

CWE-287

References

github.com /minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh

{
    "lastseen": "",
    "description": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.",
    "published": "2026-03-24T19:05:04.705Z",
    "modified": "2026-03-25T14:28:14.561Z",
    "type": "cve",
    "title": "MinIO: JWT Algorithm Confusion in OIDC Authentication",
    "source": "GitHub_M",
    "references": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh",
    "id": "CVE-2026-33322",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "minio minio >= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "minio",
    "version": ">= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z",
    "vendor": "minio",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}