CVE-2026-32597

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

Vulnerability Details

Published Date

March 13, 2026

Last Modified

March 19, 2026

CWE ID

CWE-345

Source

NVD

Vendor

jpadilla

Product

pyjwt

External References

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

CVE-2026-32597

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment