CVE-2026-33322
JWT Algorithm Confusion in MinIO Enables Privilege Escalation
Publication date: 2026-03-24
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| minio | minio | From 2022-11-08t05-27-07z (inc) to 2026-03-17t21-25-16z (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33322 is a JWT algorithm confusion vulnerability in MinIO's OpenID Connect (OIDC) authentication system affecting versions from RELEASE.2022-11-08T05-27-07Z up to before RELEASE.2026-03-17T21-25-16Z."}, {'type': 'paragraph', 'content': 'This flaw allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens, enabling them to impersonate any user and obtain S3 credentials with any IAM policy, including consoleAdmin privileges.'}, {'type': 'paragraph', 'content': 'The attack is deterministic with a 100% success rate and requires knowledge of the OIDC ClientSecret, which may be more accessible than expected due to prior leaks or exposure in various configurations.'}] [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can impersonate any user within the MinIO deployment and obtain S3 credentials with any policy, including full administrative (consoleAdmin) privileges.
This grants the attacker the ability to access, modify, or delete any data stored in the MinIO system, potentially leading to data breaches, data loss, or unauthorized data manipulation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves a JWT algorithm confusion in MinIO's OpenID Connect authentication, exploitable if an attacker knows the OIDC ClientSecret."}, {'type': 'paragraph', 'content': 'Detection would primarily involve verifying if your MinIO deployment is running a vulnerable version (from RELEASE.2022-11-08T05-27-07Z up to before RELEASE.2026-03-17T21-25-16Z) and checking for exposure of the OIDC ClientSecret.'}, {'type': 'paragraph', 'content': 'Since the vulnerability depends on knowledge of the OIDC ClientSecret, you should audit your environment for leaks of this secret in environment variables, configuration files, CI/CD pipelines, frontend OAuth configurations, or mobile app bundles.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade MinIO to RELEASE.2026-03-17T21-25-16Z or later, where this vulnerability has been patched.
Additionally, treat the OIDC ClientSecret as a highly sensitive credential and prevent its exposure to untrusted parties.
- Upgrade MinIO to the patched release or later.
- Audit and secure the OIDC ClientSecret to ensure it is not leaked or accessible to unauthorized users.
- Review and restrict access to environment variables, configuration files, CI/CD pipelines, frontend OAuth configurations, and mobile app bundles where the secret might be exposed.