CVE-2026-33322

CRITICAL SEVERITY

Vulnerability Description

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

Vulnerability Details

Published Date

March 19, 2026

Last Modified

March 25, 2026

CWE ID

CWE-287

Source

GitHub

Vendor

Product

github.com/minio/minio

External References

https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh
https://github.com/advisories/GHSA-5cx5-wh4m-82fh

CVE-2026-33322

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment