PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48526.json
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx
https://bugzilla.redhat.com/show_bug.cgi?id=2482734
https://access.redhat.com/security/cve/CVE-2026-48526
https://access.redhat.com/errata/RHSA-2026:37275
https://access.redhat.com/errata/RHSA-2026:36350
https://access.redhat.com/errata/RHSA-2026:35845
https://access.redhat.com/errata/RHSA-2026:35837
https://access.redhat.com/errata/RHSA-2026:35836
https://access.redhat.com/errata/RHSA-2026:35835
https://access.redhat.com/errata/RHSA-2026:34374
https://access.redhat.com/errata/RHSA-2026:34365
https://access.redhat.com/errata/RHSA-2026:34160
https://access.redhat.com/errata/RHSA-2026:33683
https://access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30076
https://access.redhat.com/errata/RHSA-2026:28571
https://access.redhat.com/errata/RHSA-2026:26206