CRITICALCVE-2026-33322Published 2026-03-24Modified 2026-03-25CNA GitHub_M

CVE-2026-33322: MinIO: JWT Algorithm Confusion in OIDC Authentication

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

minio / minio
>= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh

Metrics