CVE-2026-48526

7.4 HIGH

PyJWT is a JSON Web Token implementation in Python

Published: 2026-05-28 · Last updated: 2026-06-01

Severity and scoring

CVSS: 7.4 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-287, CWE-347

Affected products

Vendor	Product
pyjwt_project	pyjwt

Description

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48526
[Vendor advisory]https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

Related CVEs

Same vendor

CVE-2026-48525 — PyJWT is a JSON Web Token implementation in Python (5.3 MEDIUM)
CVE-2026-48524 — PyJWT is a JSON Web Token implementation in Python (3.7 LOW)
CVE-2026-48523 — PyJWT is a JSON Web Token implementation in Python (5.4 MEDIUM)
CVE-2026-48522 — PyJWT is a JSON Web Token implementation in Python (4.2 MEDIUM)

Same CWE

CVE-2026-47838 — SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wr... (6.8 MEDIUM)
CVE-2026-41694 — Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a val... (3.7 LOW)
CVE-2026-49848 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (4.3 MEDIUM)
CVE-2026-49843 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (5.3 MEDIUM)
CVE-2026-44810 — Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally (8.4 HIGH)