CVE-2026-33322

Impact

What kind of vulnerability is it? Who is impacted?

A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin.

An attacker with knowledge of the OIDC ClientSecret can:

• Impersonate any user identity
• Obtain S3 credentials with any IAM policy, including consoleAdmin
• Access, modify, or delete any data in the MinIO deployment

The attack is deterministic (100% success rate, no race conditions).

Attack Prerequisites

The attacker must know the OIDC ClientSecret. While this is a shared credential (not a private key), it is more accessible than commonly assumed:

• CVE-2023-28432 previously leaked environment variables including MINIOIDENTITYOPENIDCLIENTSECRET
• Client secrets are often present in frontend OAuth configurations, mobile app bundles, CI/CD pipelines, and shared configuration files
• In many organizations, the client secret is accessible to operators and engineers who should not be able to forge arbitrary identities

​

Affected Versions

All MinIO releases from RELEASE.2022-11-08T05-27-07Z through the final release of the minio/minio open-source project.

Patches

Fixed in: MinIO AIStor RELEASE.2026-03-17T21-25-16Z

Downloads

Binary Downloads

| Platform | Architecture | Download                                                                    |

| -------- | ------------ | --------------------------------------------------------------------------- |

| Linux    | amd64        | minio           |

| Linux    | arm64        | minio           |

| macOS    | arm64        | minio          |

| macOS    | amd64        | minio          |

| Windows  | amd64        | minio.exe |

FIPS Binaries

| Platform | Architecture | Download                                                                    |

| -------- | ------------ | --------------------------------------------------------------------------- |

| Linux    | amd64        | minio.fips |

| Linux    | arm64        | minio.fips |

Package Downloads

| Format | Architecture | Download                                                                                                                            |

| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |

| DEB    | amd64        | minio20260317212516.0.0amd64.deb         |

| DEB    | arm64        | minio20260317212516.0.0arm64.deb         |

| RPM    | amd64        | minio-20260317212516.0.0-1.x86_64.rpm   |

| RPM    | arm64        | minio-20260317212516.0.0-1.aarch64.rpm |

Container Images

## Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
## FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

• Users of the open-source minio/minio project should upgrade to MinIO AIStor RELEASE.2026-03-17T21-25-16Z or later.
• As a workaround, ensure that the OIDC ClientSecret is treated as a highly sensitive credential and is not exposed to untrusted parties.