MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. CVE-2026-33322 affects OpenID Connect authentication in versions from RELEASE.2022-11-08T05-27-07Z through versions before RELEASE.2026-03-17T21-25-16Z, where a JWT algorithm confusion issue allows an attacker who knows the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with arbitrary policies, including consoleAdmin. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments.
A second issue, CVE-2026-33419, affects the STS AssumeRoleWithLDAPIdentity endpoint in MinIO AIStor before RELEASE.2026-03-17T21-25-16Z. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in RELEASE.2026-03-17T21-25-16Z.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-33322 and CVE-2026-33419 are published
New CVE entries were published documenting two high-severity MinIO issues: CVE-2026-33322, which allows forged OIDC identity tokens if the ClientSecret is known, and CVE-2026-33419, which enables LDAP username enumeration and unlimited password guessing for STS credentials.
MinIO releases fix for two authentication flaws
MinIO patched two authentication vulnerabilities in release RELEASE.2026-03-17T21-25-16Z: an LDAP user-enumeration and brute-force issue in the STS AssumeRoleWithLDAPIdentity endpoint, and a JWT algorithm confusion flaw in OIDC authentication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MinIO Flaws Enable Security Bypass and Information Disclosure
German authorities issued advisories for multiple **MinIO** vulnerabilities that can bypass security controls, with one notice also warning of **information disclosure**. The advisories identify weaknesses in the object storage platform that could allow attackers to circumvent intended protections and expose sensitive data under certain conditions. A later advisory expanded the scope from a single issue to **multiple vulnerabilities** affecting MinIO, all tied to bypassing security measures. Organizations using MinIO should review the referenced advisories, identify affected deployments, and prioritize vendor fixes or mitigations to reduce the risk of unauthorized access and data exposure.
May 6, 2026
MinIO Authentication Bypass Lets Attackers Write Arbitrary Objects to Buckets
MinIO disclosed authentication bypass flaws in its `STREAMING-UNSIGNED-PAYLOAD-TRAILER` upload path that let an attacker with knowledge of a valid access key write arbitrary objects to any bucket without the corresponding secret key or a valid cryptographic signature. The issues affect releases from `RELEASE.2023-05-18T00-05-36Z` up to, but not including, `RELEASE.2026-04-11T03-20-12Z`, and were assigned a CVSS v4.0 score of **8.8**. One tracked issue, `CVE-2026-41145`, abuses inconsistent credential handling by omitting the `Authorization` header and supplying credentials through `X-Amz-Credential`, allowing requests to bypass signature verification in `PutObjectHandler` and `PutObjectPartHandler` across standard, warehouse, and multipart upload paths.
Apr 22, 2026
LiteLLM Flaws Enable Privilege Escalation and OIDC Authentication Bypass
LiteLLM fixed two high-severity vulnerabilities in version `1.83.0` that could allow attackers to gain elevated access in AI gateway deployments. **CVE-2026-35029** stems from missing admin authorization on the `/config/update` endpoint, allowing an authenticated low-privilege user to change proxy settings and environment variables. The flaw could be abused to register attacker-controlled Python handlers for remote code execution, read arbitrary server files, and overwrite UI credentials to seize privileged accounts, creating broad confidentiality, integrity, and availability risk. The same release also addressed **CVE-2026-35030**, an authentication bypass affecting LiteLLM deployments that enabled JWT-based authentication. In vulnerable versions, the platform used the first 20 characters of a token as the OIDC userinfo cache key, allowing a crafted token with a matching prefix to collide with a legitimate cached session and inherit that user’s identity and permissions. The issue is not enabled by default, limiting exposure to specific configurations, but together the flaws highlight significant access-control weaknesses in LiteLLM versions prior to `1.83.0`.
Apr 29, 2026