CVE-2026-33322CRITICAL 9.8EPSS p32.5%

CVE-2026-33322CVE-2026-33322

Description

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.5% · 2026-06-19T12:03:05Z
Published2026-03-24
Last modified2026-04-08

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
MinIO Security Feature Bypass Vulnerability
CVE
CVE-2026-41145
CVE
CVE-2025-62506
CVE
MinIO Information Disclosure Vulnerability
CVE
CVE-2026-40344
CVE
CVE-2026-45043
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.