By vendor
Pyjwt_project vulnerabilities
Known CVEs affecting Pyjwt_project products, prioritized by severity, with SEC.co remediation and detection guidance.
5 published vulnerabilities
- CVE-2026-48526HIGH 7.4
PyJWT, a widely-used Python library for handling JSON Web Tokens (JWTs), contains an authentication bypass vulnerability in versions before 2.13.0. The flaw allows attackers to forge valid tokens by exploiting insufficient validation of cryptographic key usage. Specifically, when a library instance is configured to accept both asymmetric (public-key) and HMAC (shared-secret) algorithms, an attacker can take the issuer's public key—which is often publicly available—and use it as the HMAC secret to create forged tokens that the vulnerable library will accept as legitimate.
- CVE-2026-48523MEDIUM 5.4
PyJWT, a widely-used Python library for handling JSON Web Tokens, has a flaw in how it validates token signatures when using JWK (JSON Web Key) objects. Between versions 2.9.0 and 2.12.1, the library checks that a token's advertised algorithm is in the caller's allow-list, but then ignores that check and uses a different algorithm bound to the JWK object for actual verification. This means an attacker with access to a registered private key can craft a token that claims to use an allowed algorithm in its header while being signed with a disallowed algorithm stored in the JWK—and the library will accept it. The fix is available in version 2.13.0.
- CVE-2026-48525MEDIUM 5.3
PyJWT, a widely-used Python library for JSON Web Token (JWT) handling, contains a denial-of-service vulnerability in its handling of detached JWS (JSON Web Signature) tokens. When processing tokens with the unencoded-payload option enabled (RFC 7797's b64=false mode), the library decodes the Base64URL-encoded payload segment before applying detached-payload verification rules. An attacker can exploit this by sending a specially crafted token with an extremely large payload segment, forcing the library to perform unnecessary decoding and memory allocation even before signature validation occurs. This creates a resource exhaustion attack that can be triggered by unauthenticated remote clients against any application using PyJWT to verify detached JWS tokens.
- CVE-2026-48522MEDIUM 4.2
PyJWT, a widely-used Python library for JSON Web Token handling, has a vulnerability in versions before 2.13.0 where it blindly accepts any URL scheme when fetching public key sets (JWKS). An attacker who can influence the URL used to fetch these keys—through JWT headers, configuration, or OAuth parameters—can trick the application into reading local files, attempting unusual protocol connections (FTP, data URIs), or in certain chained scenarios, forging valid tokens. The vulnerability requires specific conditions: the attacker must control the URL source, and token forgery scenarios require additional application-layer flaws like writable filesystem access.
- CVE-2026-48524LOW 3.7
PyJWT, a widely-used Python library for handling JSON Web Tokens (JWTs), contains a weakness in how it fetches public signing keys. When a JWT arrives with an unfamiliar key identifier (kid), the library will make a fresh HTTP request to retrieve the correct signing key—without any protection against repeated requests for the same unknown identifier. An attacker can exploit this by sending JWTs with different fake kid values, forcing the library to make outbound requests for each one. While the actual impact depends on whether the signing-key endpoint has its own rate limiting or becomes saturated, the vulnerability allows an attacker to potentially cause a denial-of-service condition through request amplification. This issue is resolved in PyJWT 2.13.0 and later.