PT-2026-44395 · Pypi · Pyjwt

·

CVE-2026-48523

·

Published

2026-05-28

·

Updated

2026-06-25

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions PyJWT versions 2.9.0 through 2.12.1
Description A verifier-side algorithm allow-list bypass occurs when jwt.decode() or jwt.decode complete() are called with a PyJWK key. While the token header alg is checked against the provided algorithms allow-list, signature verification is performed using the algorithm bound to the PyJWK object rather than the header algorithm. This allows an attacker controlling a registered JWK/JWKS private key to sign a token with a disallowed algorithm and advertise an allowed algorithm in the JWT header to gain acceptance. This issue affects the PyJWKClient.get signing key from jwt(...) flow.
Recommendations Update to version 2.13.0.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CLEANSTART-2026-AZ09261
CLEANSTART-2026-CQ05396
CLEANSTART-2026-MJ28981
CLEANSTART-2026-MR94452
CVE-2026-48523
ECHO-894A-8FA2-A1B5
GHSA-JQ35-7PRP-9V3F
OPENSUSE-SU-2026:11024-1
OPENSUSE-SU-2026:21095-1
PYSEC-2026-176
RHSA-2026:7634
SUSE-SU-2026:22138-1
SUSE-SU-2026:22170-1
SUSE-SU-2026:22220-1
SUSE-SU-2026:22238-1
SUSE-SU-2026:2626-1
SUSE-SU-2026:2627-1

Affected Products

Pyjwt