7.5
CVE-2026-32597
- EPSS 0.27%
- Veröffentlicht 12.03.2026 21:41:50
- Zuletzt bearbeitet 10.07.2026 12:16:39
- CVE-Watchlists
- Unerledigt
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pyjwt Project ≫ Pyjwt Version < 2.12.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.27% | 0.184 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-345 Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html
https://bugzilla.redhat.com/show_bug.cgi?id=2447194
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32597.json
https://access.redhat.com/errata/RHSA-2026:10184
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:6568
https://access.redhat.com/errata/RHSA-2026:10140
https://access.redhat.com/errata/RHSA-2026:10141
https://access.redhat.com/errata/RHSA-2026:13508
https://access.redhat.com/errata/RHSA-2026:13512
https://access.redhat.com/errata/RHSA-2026:13545
https://access.redhat.com/errata/RHSA-2026:6720
https://access.redhat.com/errata/RHSA-2026:8746
https://access.redhat.com/errata/RHSA-2026:8747
https://access.redhat.com/errata/RHSA-2026:8748
https://access.redhat.com/errata/RHSA-2026:6926
https://access.redhat.com/errata/RHSA-2026:13553
https://access.redhat.com/errata/RHSA-2026:37275
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
https://access.redhat.com/errata/RHSA-2026:12176
https://access.redhat.com/errata/RHSA-2026:13672
https://access.redhat.com/errata/RHSA-2026:13916
https://access.redhat.com/errata/RHSA-2026:17083
https://access.redhat.com/errata/RHSA-2026:19138
https://access.redhat.com/errata/RHSA-2026:19355
https://access.redhat.com/errata/RHSA-2026:21431
https://access.redhat.com/errata/RHSA-2026:21517
https://access.redhat.com/errata/RHSA-2026:22330
https://access.redhat.com/errata/RHSA-2026:26226
https://access.redhat.com/errata/RHSA-2026:6912
https://access.redhat.com/errata/RHSA-2026:8437
https://access.redhat.com/security/cve/CVE-2026-32597