CVE-2026-32597
Last modified
CVE-2026-32597 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pyjwt Project | Pyjwt | < 2.12.0 |
References
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9fExploit, Mitigation, Vendor Advisory
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9fExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2026-32597?
How severe is CVE-2026-32597?
How do I fix CVE-2026-32597?
Are you affected by CVE-2026-32597?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST