CVE-2026-32597

HIGH

PyJWT <2.12.0 - Auth Bypass

Title source: llm

Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

References (1)

[Vendor Advisory] https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 2.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-863 CWE-345

Status published

Products (3)

jpadilla/pyjwt < 2.12.0

pyjwt_project/pyjwt < 2.12.0

pypi/PyJWT 0 - 2.12.0PyPI

Published Mar 13, 2026

Tracked Since Mar 14, 2026