MinIO OpenID Connect JWT Algorithm Confusion Vulnerability Allowing Identity Token Forgery and S3 Credential Misuse

A JWT algorithm confusion vulnerability has been identified in MinIO's OpenID Connect authentication, affecting versions from RELEASE.2022-11-08T05-27-07Z prior to RELEASE.2026-03-17T21-25-16Z. This vulnerability allows an attacker who knows the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with any policy, including consoleAdmin. The issue arises because the OIDC ClientSecret, a shared credential, can be accessed more easily than expected, and was even leaked in a previous CVE. Exploitation of this vulnerability could lead to unauthorized access and manipulation of data within the MinIO deployment.

Impact

Exploitation allows for the impersonation of any user identity, acquisition of S3 credentials with any IAM policy (including consoleAdmin), and access to all data within the MinIO deployment, with the ability to modify or delete it.

Remediation

Users of the open-source 'minio/minio' project should upgrade to MinIO AIStor 'RELEASE.2026-03-17T21-25-16Z' or later. As a workaround, treat the OIDC ClientSecret as a sensitive credential and avoid exposing it to untrusted parties.