Auth bypass in Minio

CVE-2026-33322

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the…

Vulnerability class: Broken Authentication

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

Minio — versions >= RELEASE.2022-11-08T05-27-07Z, < RELEASE.2026-03-17T21-25-16Z

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh (x_refsource_CONFIRM)