What is JWT Algorithm Confusion?

JWT Algorithm Confusion occurs when a system incorrectly validates the algorithm used to sign a JSON Web Token. This allows an attacker to forge tokens using a weaker or different algorithm, potentially bypassing authentication.

What is LDAP brute-force?

LDAP brute-force is an attack where an attacker attempts to guess user credentials by repeatedly trying different usernames and passwords against an LDAP (Lightweight Directory Access Protocol) server. This is often automated to try many combinations quickly.

How do I update MinIO to the latest version?

You can update MinIO to the latest version using the `go get -u github.com/minio/minio@latest` command. This will fetch and install the newest version of the MinIO package, including the security patches.

What are the risks of not patching these MinIO vulnerabilities?

Failing to patch these MinIO vulnerabilities exposes your system to potential unauthorized access and data breaches. The JWT algorithm confusion can lead to authentication bypass, while the LDAP brute-force vulnerability allows attackers to guess user credentials.

NextGuard

Back to blog

CVSS 9.5CVE-2026-33322CVE-2026-33419

MinIO Patches JWT & LDAP Flaws (CVE-2026-33322, CVE-2026-33419)

Critical vulnerabilities patched in MinIO: JWT algorithm confusion and LDAP brute-force. Update to RELEASE.2026-03-17T21-25-16Z to mitigate risks.

Published on April 3, 2026

MinIO has released a patch to address a JWT algorithm confusion vulnerability (CVE-2026-33322) and an LDAP brute-force vulnerability (CVE-2026-33419). These vulnerabilities could allow attackers to bypass authentication or gain unauthorized access. Users of MinIO are strongly advised to update to the latest version.

Both CVE-2026-33322 and CVE-2026-33419 have a CVSS score of 9.5, indicating critical severity.

What is Github.com/minio/minio?

Github.com/minio/minio is a component for go, providing object storage capabilities. It is designed for cloud-native environments and offers features such as high performance, scalability, and S3 compatibility. Due to its role in data storage, vulnerabilities in MinIO can have significant security implications. To learn more, search all github.com/minio/minio CVEs.

CVE-2026-33322: MinIO JWT Algorithm Confusion

CVSS9.5

Affected versionsAll versions of github.com/minio/minio prior to RELEASE.2026-03-17T21-25-16Z are affected.

Critical severity due to potential for complete system compromise.

EPSS score of 0.019 indicates a low probability of exploitation.

MinIO suffers from a JWT (JSON Web Token) algorithm confusion vulnerability in its OIDC (OpenID Connect) authentication implementation. An attacker could potentially forge JWT tokens using a different algorithm than expected, bypassing authentication and gaining unauthorized access.

How to fix CVE-2026-33322 in Github.com/minio/minio

Patch immediately

1.Update your MinIO deployment to version RELEASE.2026-03-17T21-25-16Z or later.

Update MinIO

go get -u github.com/minio/minio@latest

Verify with:

verify

minio --version

Workaround: There is no known workaround. Apply the patch.

NextGuard automatically flags CVE-2026-33322 if Github.com/minio/minio appears in any of your monitored projects — no manual lookup required.

CVE-2026-33419: MinIO LDAP Brute-Force Vulnerability

CVSS9.5

Affected versionsAll versions of github.com/minio/minio prior to RELEASE.2026-03-17T21-25-16Z are affected.

Critical severity due to potential for complete system compromise.

EPSS score of 0.059 indicates a slightly higher probability of exploitation compared to CVE-2026-33322.

MinIO is vulnerable to LDAP login brute-force attacks due to user enumeration and a missing rate limit. An attacker can repeatedly attempt logins using different credentials, potentially gaining unauthorized access to the system.

How to fix CVE-2026-33419 in Github.com/minio/minio

Patch immediately

1.Update your MinIO deployment to version RELEASE.2026-03-17T21-25-16Z or later.

Update MinIO

go get -u github.com/minio/minio@latest

Verify with:

verify

minio --version

Workaround: Implement external rate limiting mechanisms if possible, but patching is the recommended solution.

NextGuard automatically flags CVE-2026-33419 if Github.com/minio/minio appears in any of your monitored projects — no manual lookup required.

Stay ahead of go vulnerabilities

Proactively identify and remediate vulnerabilities in your go projects. Use NextGuard to monitor your go dependencies and receive alerts on new CVEs.

Compare Plans

Frequently asked questions

These vulnerabilities highlight the importance of keeping your MinIO deployments up-to-date. Regularly patching your systems is crucial for maintaining a strong security posture. See all go vulnerabilities.