CVE-2026-33322

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

History

08 Apr 2026, 19:05

Type	Values Removed	Values Added
Summary		(es) MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Desde RELEASE.2022-11-08T05-27-07Z hasta antes de RELEASE.2026-03-17T21-25-16Z, una vulnerabilidad de confusión de algoritmo JWT en la autenticación OpenID Connect de MinIO permite a un atacante que conoce el OIDC ClientSecret forjar tokens de identidad arbitrarios y obtener credenciales S3 con cualquier política, incluyendo consoleAdmin. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z.
First Time		Minio Minio minio
CPE		cpe:2.3:a:minio:minio::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh -~~	() https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh - Vendor Advisory

24 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 20:16

Updated : 2026-06-17 10:37

NVD link : CVE-2026-33322

Mitre link : CVE-2026-33322

CVE.ORG link : CVE-2026-33322

JSON object : View

Products Affected

minio

minio

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-33322", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-33322", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:00:14.071665Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": ">= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z"}]}]}], "published": "2026-03-24T20:16:27.857", "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}, {"lang": "es", "value": "MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Desde RELEASE.2022-11-08T05-27-07Z hasta antes de RELEASE.2026-03-17T21-25-16Z, una vulnerabilidad de confusi\u00f3n de algoritmo JWT en la autenticaci\u00f3n OpenID Connect de MinIO permite a un atacante que conoce el OIDC ClientSecret forjar tokens de identidad arbitrarios y obtener credenciales S3 con cualquier pol\u00edtica, incluyendo consoleAdmin. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z."}], "lastModified": "2026-06-17T10:37:19.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF0498AE-5809-41DD-A2B5-FCFF799B18F2", "versionEndExcluding": "2026-03-17t21-25-16z", "versionStartIncluding": "2022-11-08t05-27-07z"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}