GHSA-5cx5-wh4m-82fh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5cx5-wh4m-82fh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5cx5-wh4m-82fh/GHSA-5cx5-wh4m-82fh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5cx5-wh4m-82fh
- Aliases
-
- BIT-minio-2026-33322
- CVE-2026-33322
- GO-2026-4779
- Published
- 2026-03-19T17:56:37Z
- Modified
- 2026-03-27T22:03:48.173461Z
- Severity
-
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MinIO has JWT Algorithm Confusion in OIDC Authentication
- Details
-
Impact
What kind of vulnerability is it? Who is impacted?
A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC
ClientSecretto forge arbitrary identity tokens and obtain S3 credentials with any policy, includingconsoleAdmin.An attacker with knowledge of the OIDC
ClientSecretcan:- Impersonate any user identity
- Obtain S3 credentials with any IAM policy, including
consoleAdmin - Access, modify, or delete any data in the MinIO deployment
The attack is deterministic (100% success rate, no race conditions).
Attack Prerequisites
The attacker must know the OIDC
ClientSecret. While this is a shared credential (not a private key), it is more accessible than commonly assumed:- CVE-2023-28432 previously leaked environment variables including
MINIO_IDENTITY_OPENID_CLIENT_SECRET - Client secrets are often present in frontend OAuth configurations, mobile app bundles, CI/CD pipelines, and shared configuration files
- In many organizations, the client secret is accessible to operators and engineers who should not be able to forge arbitrary identities
Affected Versions
All MinIO releases from
RELEASE.2022-11-08T05-27-07Zthrough the final release of theminio/minioopen-source project.Patches
Fixed in: MinIO AIStor
RELEASE.2026-03-17T21-25-16ZDownloads
Binary Downloads
| Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | minio | | Linux | arm64 | minio | | macOS | arm64 | minio | | macOS | amd64 | minio | | Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | minio.fips | | Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download | | ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | | DEB | amd64 | minio20260317212516.0.0amd64.deb | | DEB | arm64 | minio20260317212516.0.0arm64.deb | | RPM | amd64 | minio-20260317212516.0.0-1.x86_64.rpm | | RPM | arm64 | minio-20260317212516.0.0-1.aarch64.rpm |
Container Images
# Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z # FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fipsHomebrew (macOS)
brew install minio/aistor/minioWorkarounds
- Users of the open-source
minio/minioproject should upgrade to MinIO AIStorRELEASE.2026-03-17T21-25-16Zor later. - As a workaround, ensure that the OIDC
ClientSecretis treated as a highly sensitive credential and is not exposed to untrusted parties.
- Database specific
{ "nvd_published_at": "2026-03-24T20:16:27Z", "github_reviewed_at": "2026-03-19T17:56:37Z", "cwe_ids": [ "CWE-287", "CWE-327" ], "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
Go / github.com/minio/minio
Package
- Name
- github.com/minio/minio
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/minio/minio