CVE-2026-32597

Name of the Vulnerable Software and Affected Versions PyJWT versions prior to 2.12.0

Description PyJWT is a Python implementation for handling JSON Web Tokens (JWT). Before version 2.12.0, the library did not properly validate the 'crit' (Critical) Header Parameter as defined in RFC 7515 §4.1.11. Specifically, if a JWT contained a 'crit' array listing extensions that PyJWT did not recognize, the library would accept the token instead of rejecting it, violating the 'MUST' requirement outlined in the RFC. This could lead to security policy bypasses, token binding bypasses, and split-brain verification issues in deployments where different libraries are used with varying levels of compliance. The issue allows for the silent ignoring of RFC 7800 cnf (Proof-of-Possession) extensions. A proof of concept demonstrates that a token with an unknown critical extension is accepted by PyJWT, while a compliant library like jwcrypto rejects it.

Recommendations Versions prior to 2.12.0 should be updated to version 2.12.0 or later.