Improper Authentication Affecting minio-fips package, versions <0.20260604.005411-r0


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.41% (33rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-MINIOFIPS-17239527
  • published9 Jun 2026
  • disclosed24 Mar 2026

Introduced: 24 Mar 2026

CVE-2026-33322  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade Chainguard minio-fips to version 0.20260604.005411-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream minio-fips package and not the minio-fips package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. This issue has been patched in RELEASE.2026-03-17T21-25-16Z.

CVSS Base Scores

version 3.1