CVE-2026-33322 Overview
MinIO, a high-performance object storage system, contains a JWT algorithm confusion vulnerability in its OpenID Connect (OIDC) authentication mechanism. This vulnerability allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin privileges. The flaw affects MinIO versions from RELEASE.2022-11-08T05-27-07Z through versions before RELEASE.2026-03-17T21-25-16Z.
Critical Impact
Attackers with knowledge of the OIDC ClientSecret can forge identity tokens to gain full administrative access to MinIO deployments, potentially compromising all stored data and system configurations.
Affected Products
- MinIO versions from RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z
- MinIO deployments using OpenID Connect (OIDC) authentication
- MinIO instances with exposed or compromised OIDC ClientSecret values
Discovery Timeline
- 2026-03-24 - CVE-2026-33322 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33322
Vulnerability Analysis
This vulnerability stems from improper authentication handling (CWE-287) in MinIO's OpenID Connect integration. The JWT algorithm confusion attack occurs when the application fails to properly validate the algorithm specified in the JWT header against expected values. When an attacker possesses knowledge of the OIDC ClientSecret, they can exploit this weakness to craft malicious JWT tokens that the MinIO server incorrectly accepts as valid.
The attack enables privilege escalation by allowing the attacker to specify arbitrary policies in the forged tokens, including the highly privileged consoleAdmin policy. Once successful, the attacker gains full S3 credentials that provide unrestricted access to the object storage system.
Root Cause
The root cause of this vulnerability lies in the improper validation of JWT algorithms during the OIDC authentication flow. JWT algorithm confusion attacks typically occur when a system accepts tokens signed with algorithms different from what was originally intended. In MinIO's case, the authentication mechanism does not adequately verify that the signing algorithm used matches the expected algorithm, allowing attackers with the ClientSecret to forge valid-appearing tokens using an alternative signing method.
Attack Vector
The attack is network-accessible and does not require user interaction. An attacker needs prior knowledge of the OIDC ClientSecret to execute this attack. The exploitation flow involves:
- Obtaining or guessing the OIDC ClientSecret configured for MinIO authentication
- Crafting a malicious JWT token with arbitrary claims and policies
- Exploiting the algorithm confusion to sign the token in a way MinIO accepts
- Presenting the forged token to MinIO to obtain S3 credentials with elevated privileges
- Using the obtained credentials to access, modify, or exfiltrate data from the object storage
The vulnerability mechanism exploits weaknesses in how MinIO validates JWT token signatures during OIDC authentication. Technical details and the specific exploitation methodology are documented in the GitHub Security Advisory.
Detection Methods for CVE-2026-33322
Indicators of Compromise
- Unexpected authentication events from unknown sources using OIDC authentication
- JWT tokens with unusual algorithm headers or claims requesting elevated policies
- S3 API access patterns from new or unauthorized principals with consoleAdmin privileges
- Authentication logs showing successful OIDC logins that bypass expected identity provider flows
Detection Strategies
- Monitor MinIO audit logs for authentication events with suspicious JWT claims or policy requests
- Implement alerting on any new principals obtaining consoleAdmin or other high-privilege policies
- Review OIDC token validation logs for algorithm mismatches or unusual signing patterns
- Deploy network monitoring to detect unauthorized access to MinIO API endpoints
Monitoring Recommendations
- Enable comprehensive audit logging for all authentication and authorization events in MinIO
- Implement real-time alerting for privilege escalation attempts or policy changes
- Monitor for unusual S3 credential generation patterns, especially those granting administrative access
- Track and baseline normal OIDC authentication behavior to identify anomalies
How to Mitigate CVE-2026-33322
Immediate Actions Required
- Upgrade MinIO to version RELEASE.2026-03-17T21-25-16Z or later immediately
- Rotate OIDC ClientSecret values if there is any suspicion of compromise
- Review audit logs for evidence of exploitation prior to patching
- Temporarily disable OIDC authentication if upgrading is not immediately possible
Patch Information
MinIO has released a security patch in version RELEASE.2026-03-17T21-25-16Z that addresses this JWT algorithm confusion vulnerability. Organizations should upgrade to this version or later as soon as possible. The patch properly validates JWT algorithms during OIDC authentication to prevent token forgery attacks.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to MinIO instances to trusted networks only until patching is complete
- Implement additional authentication layers or network segmentation to limit exposure
- Monitor and audit all OIDC authentication events for suspicious activity
- Consider temporarily switching to alternative authentication mechanisms if OIDC cannot be disabled
# Example: Update MinIO to patched version
# Stop the current MinIO service
systemctl stop minio
# Download the patched release
wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio.RELEASE.2026-03-17T21-25-16Z
# Replace the binary and set permissions
chmod +x minio.RELEASE.2026-03-17T21-25-16Z
mv minio.RELEASE.2026-03-17T21-25-16Z /usr/local/bin/minio
# Restart the MinIO service
systemctl start minio
# Verify the version
minio --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
