CVE-2026-33322: MinIO has JWT Algorithm Confusion in OIDC Authentication

March 19, 2026 (updated March 27, 2026)

What kind of vulnerability is it? Who is impacted?

A JWT algorithm confusion vulnerability in MinIO’s OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin.

An attacker with knowledge of the OIDC ClientSecret can:

Impersonate any user identity
Obtain S3 credentials with any IAM policy, including consoleAdmin
Access, modify, or delete any data in the MinIO deployment

The attack is deterministic (100% success rate, no race conditions).

References

github.com/advisories/GHSA-5cx5-wh4m-82fh
github.com/minio/minio
github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh
nvd.nist.gov/vuln/detail/CVE-2026-33322

Code Behaviors & Features

Detect and mitigate CVE-2026-33322 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →