CVE-2026-32597

Exploit

EPSS 0.01%
Veröffentlicht 12.03.2026 21:41:50
Zuletzt bearbeitet 05.05.2026 18:16:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pyjwt Project ≫ Pyjwt Version < 2.12.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.027

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

Vendor Advisory

Exploit

Mitigation

https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html

https://nvd.nist.gov/vuln/detail/CVE-2026-32597

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32597

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32597

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32597