CVE-2026-33322

Name of the Vulnerable Software and Affected Versions MinIO versions RELEASE.2022-11-08T05-27-07Z through RELEASE.2026-03-17T21-25-16Z

Description MinIO has a JWT algorithm confusion issue in its OpenID Connect authentication. An attacker who knows the OIDC ClientSecret can forge identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This allows an attacker to impersonate any user identity, access, modify, or delete data within the MinIO deployment. The attack is deterministic and has a 100% success rate. The attacker must have access to the OIDC ClientSecret, which may be found in environment variables, frontend OAuth configurations, mobile app bundles, CI/CD pipelines, or shared configuration files.

Recommendations Upgrade to MinIO AIStor RELEASE.2026-03-17T21-25-16Z or later. As a workaround, ensure the OIDC ClientSecret is treated as a highly sensitive credential and is not exposed to untrusted parties.