CVE-2026-33322 — MinIO: JWT Algorithm Confusion in OIDC Authentication

Description

MinIO is a high-performance object storage system. From 2022.11.08 to before 2026.03.17, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in 2026.03.17.

How to fix CVE-2026-33322

To remediate CVE-2026-33322, upgrade the affected package to a fixed version below.

Bitnami/minio—upgrade to 2026.03.17 or later
—no fix listed
—no fix listed

Is CVE-2026-33322 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 2022.11.08, < 2026.03.17
from 0, <= 0.0.0-20260212201848-7aac2a2c5b7c
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33322
PATCHgithub.com/minio/minio
WEBgithub.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh