46 matches found
PYSEC-2026-1200 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)
Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...
Astra Linux – Vulnerability in pyjwt
PyJWT is an implementation of JSON Web Tokens in Python. Before version 2.12.0, PyJWT did not validate the Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a critical array listing extensions that PyJWT does not understand, the library accepts the token instead of...
RockyLinux 10 : fence-agents (RLSA-2026:19138)
The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19138 advisory. pyjwt: PyJWT accepts unknown crit header extensions RFC 7515 ?4.1.11 MUST violation CVE-2026-32597 pyasn1: pyasn1 Vulnerable to Denial of Service via...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
RHEL 9 : fence-agents (RHSA-2026:21431)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:21431 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
AlmaLinux 10 : fence-agents (ALSA-2026:13916)
The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:13916 advisory. pyjwt: PyJWT accepts unknown crit header extensions RFC 7515 ?4.1.11 MUST violation CVE-2026-32597 pyasn1: pyasn1 Vulnerable to Denial of Service via...
[SECURITY] [DLA 4564-1] pyjwt security update
Debian LTS Advisory DLA-4564-1 [email protected] https://www.debian.org/lts/security/ Jochen Sprickerhof May 05, 2026 https://wiki.debian.org/LTS Package : pyjwt Version : 1.7.1-2+deb11u1 CVE ID : CVE-2026-32597 It was discovered that PyJWT, a Python implementation of JSON Web Token did...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
Security Bulletin: PyJWT Fails to Validate Critical (crit) Header Parameter, Allowing Token Acceptance
Summary PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
SUSE-SU-2026:1400-1 Security update for python-PyJWT
This update for python-PyJWT fixes the following issues: - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616...
Security update for python-PyJWT
This update for python-PyJWT fixes the following issues: CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run the...
SUSE-SU-2026:1389-1 Security update for python-PyJWT
This update for python-PyJWT fixes the following issues: - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616...
CVE-2026-35042
fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token...