CVE-2026-32597 — Insufficient Verification of Data Authenticity in Pyjwt

CWE-345 — Insufficient Verification of Data Authenticity CWE-863 — Incorrect Authorization CWE-347 — Improper Verification of Cryptographic Signature9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 98.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jpadilla Pyjwt Pyjwt Project Pyjwt Debian Pyjwt

Timeline

PublishedMar 13

Latest updateMar 30

Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5jpadilla/pyjwt< 2.12.0

▶NVDpyjwt_project/pyjwt< 2.12.0

▶PyPIpyjwt_project/pyjwt< 2.12.0

▶debiandebian/pyjwt

🔴Vulnerability Details

GHSA

PyJWT accepts unknown `crit` header extensions↗2026-03-13

▶

OSV

CVE-2026-32597: PyJWT is a JSON Web Token implementation in Python↗2026-03-13

▶

OSV

PyJWT accepts unknown `crit` header extensions↗2026-03-13

▶

📋Vendor Advisories

Ubuntu

PyJWT vulnerability↗2026-03-30

▶

Red Hat

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)↗2026-03-12

▶

Debian

CVE-2026-32597: pyjwt - PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32597 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-32597 pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)↗2026-03-12

▶