JWT Algorithm Confusion Vulnerability in MinIO Object Storage System
CVE-2026-33322

9.2CRITICAL

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-33322?

A JWT algorithm confusion vulnerability has been identified in the MinIO Object Storage system, affecting versions from RELEASE.2022-11-08T05-27-07Z up to but not including RELEASE.2026-03-17T21-25-16Z. This vulnerability allows attackers who possess the OIDC ClientSecret to forge arbitrary identity tokens. By exploiting this weakness, attackers can obtain S3 credentials with any policy level, including consoleAdmin permissions, thereby potentially compromising the security of sensitive data stored in S3. The issue has been resolved in the latest release, which patches this vulnerability to enhance the overall security posture of MinIO users.

Affected Version(s)

minio >= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z

References

https://github.com/minio/minio/security/advisories/GHSA-5...

x_refsource_CONFIRM

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33322 Data

JSON

Minio

What is CVE-2026-33322?

Affected Version(s)

References

CVSS V4

Timeline