PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32597.json
https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
https://bugzilla.redhat.com/show_bug.cgi?id=2447194
https://access.redhat.com/security/cve/CVE-2026-32597
https://access.redhat.com/errata/RHSA-2026:8748
https://access.redhat.com/errata/RHSA-2026:8747
https://access.redhat.com/errata/RHSA-2026:8746
https://access.redhat.com/errata/RHSA-2026:8437
https://access.redhat.com/errata/RHSA-2026:6926
https://access.redhat.com/errata/RHSA-2026:6912
https://access.redhat.com/errata/RHSA-2026:6720
https://access.redhat.com/errata/RHSA-2026:6568
https://access.redhat.com/errata/RHSA-2026:26226
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:22330
https://access.redhat.com/errata/RHSA-2026:21517
https://access.redhat.com/errata/RHSA-2026:21431
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19355
https://access.redhat.com/errata/RHSA-2026:19138
https://access.redhat.com/errata/RHSA-2026:17083
https://access.redhat.com/errata/RHSA-2026:13916
https://access.redhat.com/errata/RHSA-2026:13672
https://access.redhat.com/errata/RHSA-2026:13553
https://access.redhat.com/errata/RHSA-2026:13545
https://access.redhat.com/errata/RHSA-2026:13512
https://access.redhat.com/errata/RHSA-2026:13508
https://access.redhat.com/errata/RHSA-2026:12176
https://access.redhat.com/errata/RHSA-2026:10184