Plattform
go
Komponente
github.com/minio/minio
Behoben in
2022.0.1
0.0.1
CVE-2026-33322 describes a critical JWT algorithm confusion vulnerability discovered in MinIO, a popular object storage server. This flaw allows an attacker possessing the OpenID Connect (OIDC) ClientSecret to forge identity tokens, effectively impersonating any user and obtaining S3 credentials with elevated privileges, including consoleAdmin. The vulnerability affects MinIO versions up to and including 0.0.0-20260212201848-7aac2a2c5b7c, and a fix has been released in RELEASE.2026-03-17T21-25-16Z.
The impact of CVE-2026-33322 is severe. An attacker who successfully exploits this vulnerability can gain complete control over the MinIO deployment. This includes the ability to access, modify, and delete any data stored within the object storage system. The deterministic nature of the attack – a 100% success rate without race conditions – significantly increases the risk. The ability to obtain consoleAdmin credentials allows for full administrative access, enabling the attacker to configure the system, create new users, and potentially pivot to other systems within the network. This vulnerability shares similarities with other algorithm confusion attacks where improper validation of cryptographic parameters leads to unauthorized access.
CVE-2026-33322 was published on 2026-03-19. The vulnerability's criticality (CVSS score of 9.5) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the deterministic nature of the attack and the ease of obtaining the ClientSecret (if not properly secured) suggest a potential for rapid exploitation. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Refer to the official MinIO advisory for further details.
Organizations utilizing MinIO for object storage, particularly those relying on OpenID Connect for authentication, are at risk. Deployments with weak OIDC ClientSecret storage practices or those using shared hosting environments where the ClientSecret might be inadvertently exposed are especially vulnerable. Legacy MinIO configurations that haven't been regularly updated are also at increased risk.
• linux / server:
journalctl -u minio -g 'oidc token'• generic web:
curl -I <minio_endpoint>/ -H 'Authorization: Bearer <potentially forged token>'• linux / server:
lsof -i :9000 | grep minio• linux / server:
ps aux | grep miniodisclosure
patch
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-33322 is to immediately upgrade MinIO to RELEASE.2026-03-17T21-25-16Z or a later version. If an immediate upgrade is not feasible, consider rotating the OIDC ClientSecret as a temporary measure, although this does not fully address the underlying vulnerability. Review and restrict access to the OIDC ClientSecret to prevent unauthorized disclosure. Implement Web Application Firewall (WAF) rules to detect and block suspicious JWT requests, specifically those attempting to manipulate the alg parameter. Monitor MinIO logs for unusual authentication activity or attempts to forge identity tokens. After upgrade, confirm successful remediation by attempting to authenticate with a known valid user and verifying access permissions.
Actualice MinIO a la versión RELEASE.2026-03-17T21-25-16Z o posterior. Esta actualización corrige la vulnerabilidad de confusión de algoritmos JWT en la autenticación OIDC.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33322 is a critical vulnerability in MinIO where an attacker with the OIDC ClientSecret can forge identity tokens, gaining unauthorized access to S3 credentials and potentially full data control.
If you are running MinIO versions prior to RELEASE.2026-03-17T21-25-16Z and use OpenID Connect authentication, you are potentially affected by this vulnerability.
Upgrade to MinIO version RELEASE.2026-03-17T21-25-16Z or later to remediate the vulnerability. Consider rotating the OIDC ClientSecret as a temporary mitigation.
While no confirmed exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the official MinIO security advisory for detailed information and updates regarding CVE-2026-33322: [https://docs.min.io/minio/minio-security-advisories](https://docs.min.io/minio/minio-security-advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.