CVE-2026-32597

HIGH

PyJWT < 2.12.0 - Insufficient Verification of Data Authenticity via crit Header Parameter

Title source: llm

Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

References (2)

Core 2

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html

Vendor Advisory x_refsource_confirm

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

Scores

CVSS v3 7.5

EPSS 0.0020

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-345 CWE-863

Status published

Products (3)

jpadilla/pyjwt < 2.12.0

pyjwt_project/pyjwt < 2.12.0

pypi/PyJWT 0 - 2.12.0PyPI

Published Mar 13, 2026

Tracked Since Mar 14, 2026