QSearchQSearch

CVE-2026-48524

3.7 LOW

PyJWT is a JSON Web Token implementation in Python

Published: 2026-05-28 · Last updated: 2026-06-01

Severity and scoring

CVSS
3.7 LOW
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE
CWE-460, CWE-755

Affected products

VendorProduct
pyjwt_projectpyjwt

Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-48526 PyJWT is a JSON Web Token implementation in Python (7.4 HIGH)
  • CVE-2026-48525 PyJWT is a JSON Web Token implementation in Python (5.3 MEDIUM)
  • CVE-2026-48523 PyJWT is a JSON Web Token implementation in Python (5.4 MEDIUM)
  • CVE-2026-48522 PyJWT is a JSON Web Token implementation in Python (4.2 MEDIUM)

Same CWE

  • CVE-2026-44505 Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (5.3 MEDIUM)
  • CVE-2023-43686 An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later) (6.2 MEDIUM)
  • CVE-2026-49235 When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes
  • CVE-2026-49232 Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of ...
  • CVE-2026-9516 Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws (7.5 HIGH)