python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

EUVD-2026-32917

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed...

python311-PyJWT-2.13.0-1.1 on GA media (moderate)

python311-PyJWT-2.13.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:11024-1 Rating: moderate Cross-References: CVE-2026-48522 CVE-2026-48523 CVE-2026-48524 CVE-2026-48525 CVE-2026-48526 CVSS scores: CVE-2026-48522 SUSE : 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-48522 SUSE :...

CVE-2026-48522

A flaw was found in PyJWT, a JSON Web Token implementation in Python. The PyJWKClient component, prior to version 2.13.0, directly passes its Uniform Resource Identifier URI argument to urllib.request.urlopen. This allows a remote attacker, by influencing the application's jku URL ingestion path,...

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

CVE-2026-48525

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

CVE-2026-48526

PyJWT (Python) prior to 2.13.0 did not validate the use of JSON Web Keys in HMAC verification, allowing an attacker to use the issuer public key as the HMAC secret during token verification. This could enable forging tokens when mixing RS/EC/JWK and HS algorithms. The issue is fixed in PyJWT 2.13...

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

CVE-2026-48522

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

RHEL 10 : fence-agents (RHSA-2026:13916)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:13916 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...

SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:1400-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:1400-1 advisory. - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616. Tenable has extracted the preceding...

Important Photon OS Security Update - PHSA-2026-4.0-0995

Updates of 'python3-PyJWT', 'python3-pyasn1', 'libtiff', 'nodejs', 'rubygem-rdiscount', 'rubygem-activesupport' packages of Photon OS have been released...

Medium: python-jwt

Issue Overview: A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 SS4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of...

Amazon Linux 2023 : python3-jwt, python3-jwt+crypto (ALAS2023-2026-1467)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1467 advisory. pyjwt v2.10.1 was discovered to contain weak encryption. CVE-2025-45768 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus has no...

Medium: python-jwt

Issue Overview: pyjwt v2.10.1 was discovered to contain weak encryption. CVE-2025-45768 Affected Packages: python-jwt Issue Correction: Run dnf update python-jwt --releasever 2023.10.20260302 or dnf update --advisory ALAS2023-2026-1467 --releasever 2023.10.20260302 to update your system. More...

RHEL 8 : python-jwt (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - python-jwt: Key confusion through non-blocklisted public key formats CVE-2022-29217 Note that Nessus has not tested...

RHEL 9 : python-jwt (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - python-jwt: Key confusion through non-blocklisted public key formats CVE-2022-29217 Note that Nessus has not tested...

Exploit for Authentication Bypass by Spoofing in Python-Jwt_Project Python-Jwt

CVE-2022-39227 CVE-2022-39227 : Proof of Concept Proof of co...

CBL Mariner 2.0 Security Update: python-jwt (CVE-2022-39227)

The version of python-jwt installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-39227 advisory. - python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject...