PT-2026-26481 · Go · Github.Com/Minio/Minio
Published
2026-03-19
·
Updated
2026-03-19
·
CVE-2026-33322
CVSS v4.0
9.2
Critical
| AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Impact
What kind of vulnerability is it? Who is impacted?
A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC
ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin.An attacker with knowledge of the OIDC
ClientSecret can:- Impersonate any user identity
- Obtain S3 credentials with any IAM policy, including
consoleAdmin - Access, modify, or delete any data in the MinIO deployment
The attack is deterministic (100% success rate, no race conditions).
Attack Prerequisites
The attacker must know the OIDC
ClientSecret. While this is a shared credential (not a private key), it is more accessible than commonly assumed:- CVE-2023-28432 previously leaked environment variables including
MINIO IDENTITY OPENID CLIENT SECRET - Client secrets are often present in frontend OAuth configurations, mobile app bundles, CI/CD pipelines, and shared configuration files
- In many organizations, the client secret is accessible to operators and engineers who should not be able to forge arbitrary identities
Affected Versions
All MinIO releases from
RELEASE.2022-11-08T05-27-07Z through the final release of the minio/minio open-source project.Patches
Fixed in: MinIO AIStor
RELEASE.2026-03-17T21-25-16ZDownloads
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | [minio 20260317212516.0.0 amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio 20260317212516.0.0 amd64.deb) |
| DEB | arm64 | [minio 20260317212516.0.0 arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio 20260317212516.0.0 arm64.deb) |
| RPM | amd64 | [minio-20260317212516.0.0-1.x86 64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260317212516.0.0-1.x86 64.rpm) |
| RPM | arm64 | minio-20260317212516.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fipsHomebrew (macOS)
brew install minio/aistor/minioWorkarounds
- Users of the open-source
minio/minioproject should upgrade to MinIO AIStorRELEASE.2026-03-17T21-25-16Zor later. - As a workaround, ensure that the OIDC
ClientSecretis treated as a highly sensitive credential and is not exposed to untrusted parties.
Fix
Use of a Broken Cryptographic Algorithm
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Minio/Minio