CVE-2026-32597

high

Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32597.json

https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f

https://bugzilla.redhat.com/show_bug.cgi?id=2447194

https://access.redhat.com/security/cve/CVE-2026-32597

https://access.redhat.com/errata/RHSA-2026:8748

https://access.redhat.com/errata/RHSA-2026:8747

https://access.redhat.com/errata/RHSA-2026:8746

https://access.redhat.com/errata/RHSA-2026:8437

https://access.redhat.com/errata/RHSA-2026:6926

https://access.redhat.com/errata/RHSA-2026:6912

https://access.redhat.com/errata/RHSA-2026:6720

https://access.redhat.com/errata/RHSA-2026:6568

https://access.redhat.com/errata/RHSA-2026:26226

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:22330

https://access.redhat.com/errata/RHSA-2026:21517

https://access.redhat.com/errata/RHSA-2026:21431

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:19355

https://access.redhat.com/errata/RHSA-2026:19138

https://access.redhat.com/errata/RHSA-2026:17083

https://access.redhat.com/errata/RHSA-2026:13916

https://access.redhat.com/errata/RHSA-2026:13672

https://access.redhat.com/errata/RHSA-2026:13553

https://access.redhat.com/errata/RHSA-2026:13545

https://access.redhat.com/errata/RHSA-2026:13512

https://access.redhat.com/errata/RHSA-2026:13508

https://access.redhat.com/errata/RHSA-2026:12176

https://access.redhat.com/errata/RHSA-2026:10184

https://access.redhat.com/errata/RHSA-2026:10141

https://access.redhat.com/errata/RHSA-2026:10140

Details

Source: Mitre, NVD

Published: 2026-03-13

Updated: 2026-07-01

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High

EPSS

EPSS: 0.00014