CVE-2026-33322
Received Received - Intake
JWT Algorithm Confusion in MinIO Enables Privilege Escalation

Publication date: 2026-03-24

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
minio minio From 2022-11-08t05-27-07z (inc) to 2026-03-17t21-25-16z (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33322 is a JWT algorithm confusion vulnerability in MinIO's OpenID Connect (OIDC) authentication system affecting versions from RELEASE.2022-11-08T05-27-07Z up to before RELEASE.2026-03-17T21-25-16Z."}, {'type': 'paragraph', 'content': 'This flaw allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens, enabling them to impersonate any user and obtain S3 credentials with any IAM policy, including consoleAdmin privileges.'}, {'type': 'paragraph', 'content': 'The attack is deterministic with a 100% success rate and requires knowledge of the OIDC ClientSecret, which may be more accessible than expected due to prior leaks or exposure in various configurations.'}] [1]

Impact Analysis

An attacker exploiting this vulnerability can impersonate any user within the MinIO deployment and obtain S3 credentials with any policy, including full administrative (consoleAdmin) privileges.

This grants the attacker the ability to access, modify, or delete any data stored in the MinIO system, potentially leading to data breaches, data loss, or unauthorized data manipulation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves a JWT algorithm confusion in MinIO's OpenID Connect authentication, exploitable if an attacker knows the OIDC ClientSecret."}, {'type': 'paragraph', 'content': 'Detection would primarily involve verifying if your MinIO deployment is running a vulnerable version (from RELEASE.2022-11-08T05-27-07Z up to before RELEASE.2026-03-17T21-25-16Z) and checking for exposure of the OIDC ClientSecret.'}, {'type': 'paragraph', 'content': 'Since the vulnerability depends on knowledge of the OIDC ClientSecret, you should audit your environment for leaks of this secret in environment variables, configuration files, CI/CD pipelines, frontend OAuth configurations, or mobile app bundles.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade MinIO to RELEASE.2026-03-17T21-25-16Z or later, where this vulnerability has been patched.

Additionally, treat the OIDC ClientSecret as a highly sensitive credential and prevent its exposure to untrusted parties.

  • Upgrade MinIO to the patched release or later.
  • Audit and secure the OIDC ClientSecret to ensure it is not leaked or accessible to unauthorized users.
  • Review and restrict access to environment variables, configuration files, CI/CD pipelines, frontend OAuth configurations, and mobile app bundles where the secret might be exposed.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart