CVE-2026-32597
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| jpadilla | pyjwt | < 2.12.0 | affected |
Weaknesses
- CWE-345: CWE-345: Insufficient Verification of Data Authenticity
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
CVE Program Container
Additional References
pyjwt: PyJWT accepts unknown crit header extensions (RFC 7515 §4.1.11 MUST violation)
Additional References
- https://access.redhat.com/security/cve/CVE-2026-32597
- https://bugzilla.redhat.com/show_bug.cgi?id=2447194
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32597.json
- https://access.redhat.com/errata/RHSA-2026:13512
- https://access.redhat.com/errata/RHSA-2026:13508
- https://access.redhat.com/errata/RHSA-2026:17083
- https://access.redhat.com/errata/RHSA-2026:13916
- https://access.redhat.com/errata/RHSA-2026:19138
- https://access.redhat.com/errata/RHSA-2026:12176
- https://access.redhat.com/errata/RHSA-2026:22330
- https://access.redhat.com/errata/RHSA-2026:21517
- https://access.redhat.com/errata/RHSA-2026:21431
- https://access.redhat.com/errata/RHSA-2026:13672
- https://access.redhat.com/errata/RHSA-2026:19355
- https://access.redhat.com/errata/RHSA-2026:8748
- https://access.redhat.com/errata/RHSA-2026:8746
- https://access.redhat.com/errata/RHSA-2026:8747
- https://access.redhat.com/errata/RHSA-2026:13553
- https://access.redhat.com/errata/RHSA-2026:13545
- https://access.redhat.com/errata/RHSA-2026:10140
- https://access.redhat.com/errata/RHSA-2026:10141
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:24977
- https://access.redhat.com/errata/RHSA-2026:19712
- https://access.redhat.com/errata/RHSA-2026:6912
- https://access.redhat.com/errata/RHSA-2026:6720
- https://access.redhat.com/errata/RHSA-2026:6568
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:6926
- https://access.redhat.com/errata/RHSA-2026:26226
- https://access.redhat.com/errata/RHSA-2026:8437
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.