CVE-2026-32597 PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

🗓️ 12 Mar 2026 21:41:50Reported by GitHub_MType

PyJWT before 2.12.0 accepts unknown critical header extensions in JWS, violating RFC 7515; fixed in 2.12.0.

Reporter	Title	Published	Views	Family All 162
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	9 Apr 202610:57	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	23 Mar 202615:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses PyJWT-2.10.1-py3-none-any.whl, pyjwt-2.11.0-py3-none-any.whl which is vulnerable to CVE-2026-32597.	4 May 202614:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in pyjwt-2.11.0-py3-none-any.whl	29 Apr 202617:40	–	ibm
IBM Security Bulletins	Security Bulletin: PyJWT Fails to Validate Critical (crit) Header Parameter, Allowing Token Acceptance	4 May 202612:30	–	ibm
ATTACKERKB	CVE-2026-32597	12 Mar 202621:41	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : python3-jwt, python3-jwt+crypto (ALAS2023-2026-1519)	2 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : fence-agents (ALSA-2026:12176)	30 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 10 : fence-agents (ALSA-2026:13916)	6 May 202600:00	–	nessus
Tenable Nessus	Debian dla-4564 : python3-jwt - security update	5 May 202600:00	–	nessus

[
  {
    "vendor": "jpadilla",
    "product": "pyjwt",
    "versions": [
      {
        "version": "< 2.12.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

12 Mar 2026 21:41Current

CVSS 3.17.5

EPSS0.00014