CVE-2026-33996

Name of the Vulnerable Software and Affected Versions LibJWT versions 3.0.0 through 3.2.9

Description LibJWT, a C JSON Web Token Library, has an issue in the RSA-PSS JWK parsing functionality. Versions prior to 3.3.0 do not adequately validate JSON string values, specifically failing to protect against NULL values. A crafted JWK file containing integers where strings are expected can exploit this. It is recommended to avoid importing keys from untrusted sources and to use the jwk2key tool to validate JWK files. If possible, avoid using JWK files with RSA-PSS keys.

Recommendations Update to LibJWT version 3.3.0 or later. As a workaround, do not import keys through a JWK file from untrusted sources. Use the jwk2key tool to check the validity of a JWK file. Avoid using JWK files with RSA-PSS keys if possible.