{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33322", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T21:23:36.677Z", "datePublished": "2026-03-24T19:05:04.705Z", "dateUpdated": "2026-03-25T14:28:14.561Z"}, "containers": {"cna": {"title": "MinIO: JWT Algorithm Confusion in OIDC Authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": ">= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:05:04.705Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "source": {"advisory": "GHSA-5cx5-wh4m-82fh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:00:14.071665Z", "id": "CVE-2026-33322", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:14.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33322", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:00:14.071665Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:00:25.744Z"}}], "cna": {"title": "MinIO: JWT Algorithm Confusion in OIDC Authentication", "source": {"advisory": "GHSA-5cx5-wh4m-82fh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": ">= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z"}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "name": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:05:04.705Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33322", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:28:14.561Z", "dateReserved": "2026-03-18T21:23:36.677Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:05:04.705Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF0498AE-5809-41DD-A2B5-FCFF799B18F2", "versionEndExcluding": "2026-03-17t21-25-16z", "versionStartIncluding": "2022-11-08t05-27-07z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}, {"lang": "es", "value": "MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Desde RELEASE.2022-11-08T05-27-07Z hasta antes de RELEASE.2026-03-17T21-25-16Z, una vulnerabilidad de confusi\u00f3n de algoritmo JWT en la autenticaci\u00f3n OpenID Connect de MinIO permite a un atacante que conoce el OIDC ClientSecret forjar tokens de identidad arbitrarios y obtener credenciales S3 con cualquier pol\u00edtica, incluyendo consoleAdmin. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z."}], "id": "CVE-2026-33322", "lastModified": "2026-04-08T19:05:00.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:27.857", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[RELEASE.2022-11-08T05-27-07Z,RELEASE.2026-03-17T21-25-16Z)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "minio", "source": "cna", "vendor": "minio"}, "product": "minio", "vendor": "minio"}], "analysis": {"en": {"generated_at": "2026-04-08T20:43:08.771067+00:00", "value": {"mitigation_remediation": ["Apply the vendor-supported patch by upgrading MinIO to RELEASE.2026\u201103\u201117T21\u201125\u201116Z or a newer version.", "If an immediate upgrade is not feasible, rotate and revoke the OIDC ClientSecret and limit its distribution to trusted services.", "Enforce strict JWT algorithm validation by ensuring only a single algorithm, such as RS256, is accepted in the OIDC configuration.", "Monitor authentication logs for unexpected token issuance or elevated privileges, and audit access controls regularly."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This issue affects MinIO object storage versions between RELEASE.2022-11-08T05-27-07Z and just before RELEASE.2026-03-17T21-25-16Z. All installations of MinIO that use OpenID Connect for authentication in this period are vulnerable. Upgrade to the patched release from 2026\u201103\u201117 or later to eliminate the weakness.", "description_and_impact": "The flaw arises from a JWT algorithm confusion in MinIO\u2019s OIDC authentication path. By knowing the OIDC ClientSecret, an attacker can fabricate identity tokens that win the token verification step and gain S3 credentials. The issued credentials can include any policy, up to consoleAdmin, giving the attacker full control over the object storage instance. This leads to complete loss of confidentiality, integrity, and availability of stored data and the administrative interface.", "risk_and_exploitability": "The CVSS base score of 9.2 reflects a high severity, and the EPSS score indicates exploitation is unlikely (<1%). However, the vulnerability is still significant because the attacker only needs the OIDC ClientSecret, which could be leaked or accessed by an insider. The attack vector is inferred to be remote over the network, requiring access to the OIDC configuration. The CVE is not listed in the CISA KEV catalog, yet the potential for privilege escalation warrants immediate attention."}}}}, "created": "2026-03-25T11:46:24.813387+00:00", "updated": "2026-04-09T08:29:37.755103+00:00", "vendors": ["minio", "minio$PRODUCT$minio"]}