pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

SUSE CVE-2026-32597

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 �4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

SUSE-SU-2026:1199-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issues: - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616...

fast-jwt 安全漏洞

fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt up to 6.1.0 contained security vulnerabilities, which stemmed from the lack of verification of the crit header parameter. This allowed tokens containing unknown extensions to be accepted...

Amazon Linux 2023 : python3-jwt, python3-jwt+crypto (ALAS2023-2026-1519)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1519 advisory. A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 SS4.1.11. When a JWS token contains a crit array listing...

Medium: python-jwt

Issue Overview: A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 SS4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of...

SUSE-SU-2026:20869-1 Security update for python-PyJWT

This update for python-PyJWT fixes the following issue: - CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 bsc1259616...

CVE-2026-32597

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

CVE-2026-32597

PyJWT prior to 2.12.0 does not validate the crit header (RFC 7515 §4.1.11). If a JWS contains a crit array with extensions PyJWT cannot understand, the library accepts the token instead of rejecting it, violating the MUST requirement. This CVE affects PyJWT and is fixed in version 2.12.0. Remedia...