{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33322", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T21:23:36.677Z", "datePublished": "2026-03-24T19:05:04.705Z", "dateUpdated": "2026-03-25T14:28:14.561Z"}, "containers": {"cna": {"title": "MinIO: JWT Algorithm Confusion in OIDC Authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": ">= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:05:04.705Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "source": {"advisory": "GHSA-5cx5-wh4m-82fh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:00:14.071665Z", "id": "CVE-2026-33322", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:14.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "MinIO: JWT Algorithm Confusion in OIDC Authentication", "source": {"advisory": "GHSA-5cx5-wh4m-82fh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": ">= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z"}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "name": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:05:04.705Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33322", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:00:14.071665Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-25T14:00:25.744Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33322", "state": "PUBLISHED", "dateUpdated": "2026-03-24T19:05:04.705Z", "dateReserved": "2026-03-18T21:23:36.677Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:05:04.705Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}], "id": "CVE-2026-33322", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:27.857", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[RELEASE.2022-11-08T05-27-07Z,RELEASE.2026-03-17T21-25-16Z)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "minio", "source": "cna", "vendor": "minio"}, "product": "minio", "vendor": "minio"}], "analysis": {"en": {"generated_at": "2026-03-24T20:51:14.820528+00:00", "value": {"mitigation_remediation": ["Apply the MinIO update to RELEASE.2026-03-17T21-25-16Z or later to remove the algorithm confusion flaw", "Rotate all affected OIDC ClientSecrets to eliminate the possibility of token forgery", "Verify that your MinIO configuration restricts the issuance of S3 credentials to the minimum necessary policies"], "summary": {"action": "Apply Patch", "impact": "Full System Access"}, "threat_synthesis": {"affected_systems": "All MinIO releases from RELEASE.2022-11\u201108T05-27-07Z up to, but not including, RELEASE.2026-03\u201117T21-25-16Z are impacted. The issue was fixed in RELEASE.2026-03\u201117T21-25-16Z.", "description_and_impact": "MinIO\u2019s OIDC authentication contains a JWT algorithm confusion flaw that allows an attacker who knows the OIDC ClientSecret to forge identity tokens. By doing so, the attacker can obtain S3 credentials with any policy, including consoleAdmin, giving unrestricted access to the storage system. The weakness is an instance of improper authentication, mapped to CWE\u2011287.", "risk_and_exploitability": "The CVSS score of 9.2 signals a severe risk when the attacker can acquire the ClientSecret, which can happen if secrets are leaked or stored insecurely. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the combination of high impact, the requirement for a known secret, and the potential for secret compromise suggests that exploitation is plausible and constitutes a critical threat that should be remediated immediately. The likely attack vector requires the attacker to obtain the client secret, a step that is not directly described in the CVE text but is inferred from the need to forge tokens."}}}}, "created": "2026-03-25T11:46:24.813387+00:00", "updated": "2026-03-25T20:57:50.317777+00:00", "vendors": ["minio", "minio$PRODUCT$minio"]}