MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. CVE-2026-33322 affects OpenID Connect authentication in versions from RELEASE.2022-11-08T05-27-07Z through versions before RELEASE.2026-03-17T21-25-16Z, where a JWT algorithm confusion issue allows an attacker who knows the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with arbitrary policies, including consoleAdmin. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments.
A second issue, CVE-2026-33419, affects the STS AssumeRoleWithLDAPIdentity endpoint in MinIO AIStor before RELEASE.2026-03-17T21-25-16Z. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in RELEASE.2026-03-17T21-25-16Z.
Timeline
Mar 24, 2026
CVE-2026-33322 and CVE-2026-33419 are published
New CVE entries were published documenting two high-severity MinIO issues: CVE-2026-33322, which allows forged OIDC identity tokens if the ClientSecret is known, and CVE-2026-33419, which enables LDAP username enumeration and unlimited password guessing for STS credentials.
Mar 17, 2026
MinIO releases fix for two authentication flaws
MinIO patched two authentication vulnerabilities in release RELEASE.2026-03-17T21-25-16Z: an LDAP user-enumeration and brute-force issue in the STS AssumeRoleWithLDAPIdentity endpoint, and a JWT algorithm confusion flaw in OIDC authentication.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
MinIO Flaws Enable Security Bypass and Information Disclosure
German authorities issued advisories for multiple **MinIO** vulnerabilities that can bypass security controls, with one notice also warning of **information disclosure**. The advisories identify weaknesses in the object storage platform that could allow attackers to circumvent intended protections and expose sensitive data under certain conditions. A later advisory expanded the scope from a single issue to **multiple vulnerabilities** affecting MinIO, all tied to bypassing security measures. Organizations using MinIO should review the referenced advisories, identify affected deployments, and prioritize vendor fixes or mitigations to reduce the risk of unauthorized access and data exposure.
Today
MinIO Authentication Bypass Lets Attackers Write Arbitrary Objects to Buckets
MinIO disclosed authentication bypass flaws in its `STREAMING-UNSIGNED-PAYLOAD-TRAILER` upload path that let an attacker with knowledge of a valid access key write arbitrary objects to any bucket without the corresponding secret key or a valid cryptographic signature. The issues affect releases from `RELEASE.2023-05-18T00-05-36Z` up to, but not including, `RELEASE.2026-04-11T03-20-12Z`, and were assigned a CVSS v4.0 score of **8.8**. One tracked issue, `CVE-2026-41145`, abuses inconsistent credential handling by omitting the `Authorization` header and supplying credentials through `X-Amz-Credential`, allowing requests to bypass signature verification in `PutObjectHandler` and `PutObjectPartHandler` across standard, warehouse, and multipart upload paths.
2 weeks ago
LiteLLM Flaws Enable Privilege Escalation and OIDC Authentication Bypass
LiteLLM fixed two high-severity vulnerabilities in version `1.83.0` that could allow attackers to gain elevated access in AI gateway deployments. **CVE-2026-35029** stems from missing admin authorization on the `/config/update` endpoint, allowing an authenticated low-privilege user to change proxy settings and environment variables. The flaw could be abused to register attacker-controlled Python handlers for remote code execution, read arbitrary server files, and overwrite UI credentials to seize privileged accounts, creating broad confidentiality, integrity, and availability risk. The same release also addressed **CVE-2026-35030**, an authentication bypass affecting LiteLLM deployments that enabled JWT-based authentication. In vulnerable versions, the platform used the first 20 characters of a token as the OIDC userinfo cache key, allowing a crafted token with a matching prefix to collide with a legitimate cached session and inherit that user’s identity and permissions. The issue is not enabled by default, limiting exposure to specific configurations, but together the flaws highlight significant access-control weaknesses in LiteLLM versions prior to `1.83.0`.
6 days ago