CVE-2026-48526
HIGHPyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed
Title source: cnaDescription
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx
Scores
CVSS v3
7.4
EPSS
0.0015
EPSS Percentile
4.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
CWE-347
Status
published
Products (3)
jpadilla/pyjwt
< 2.13.0
pyjwt_project/pyjwt
< 2.13.0
pypi/pyjwt
0 - 2.13.0PyPI
Published
May 28, 2026
Tracked Since
May 28, 2026