Platform
go
Component
github.com/minio/minio
Fixed in
2022.0.1
0.0.1
CVE-2026-33322 describes a critical JWT algorithm confusion vulnerability discovered in MinIO, a popular object storage server. This flaw allows an attacker possessing the OpenID Connect (OIDC) ClientSecret to forge identity tokens, effectively impersonating any user and obtaining S3 credentials with elevated privileges, including consoleAdmin. The vulnerability affects MinIO versions up to and including 0.0.0-20260212201848-7aac2a2c5b7c, and a fix has been released in RELEASE.2026-03-17T21-25-16Z.
The impact of CVE-2026-33322 is severe. An attacker who successfully exploits this vulnerability can impersonate any user within the MinIO deployment. Critically, they can obtain S3 credentials with any IAM policy, including the highly privileged consoleAdmin role. This grants them unrestricted access to the MinIO storage, enabling them to read, modify, and delete any data stored within the system. The attack is deterministic, meaning it is highly reliable and does not rely on race conditions or other unpredictable factors. This vulnerability presents a significant risk to organizations relying on MinIO for data storage and protection.
Public details regarding CVE-2026-33322 are relatively recent, with the CVE published on 2026-03-19. The vulnerability's deterministic nature and the ease of exploitation, given access to the ClientSecret, suggest a potential for widespread exploitation. While no confirmed exploitation campaigns have been publicly reported as of this writing, the vulnerability's severity warrants immediate attention and remediation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33322 is to immediately upgrade to the patched version, RELEASE.2026-03-17T21-25-16Z or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider temporarily rotating the OIDC ClientSecret to invalidate any potentially compromised tokens. While not a complete solution, this can limit the window of opportunity for attackers. Review your MinIO configuration to ensure the OIDC client secret is stored securely and access is restricted to authorized personnel. Monitor MinIO logs for any suspicious activity related to token issuance or authentication failures.
Update MinIO to version RELEASE.2026-03-17T21-25-16Z or later. This update fixes the JWT algorithm confusion vulnerability in OIDC authentication.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33322 is a critical vulnerability in MinIO where an attacker with the OIDC ClientSecret can forge identity tokens, gaining unauthorized access to S3 credentials and potentially full data control.
If you are running MinIO versions prior to RELEASE.2026-03-17T21-25-16Z and use OpenID Connect authentication, you are potentially affected by this vulnerability.
Upgrade to MinIO version RELEASE.2026-03-17T21-25-16Z or later to remediate the vulnerability. Consider rotating the OIDC ClientSecret as a temporary mitigation.
While no confirmed exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the official MinIO security advisory for detailed information and updates regarding CVE-2026-33322: [https://docs.min.io/minio/minio-security-advisories](https://docs.min.io/minio/minio-security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.