SB20260427100 - Insufficient verification of data authenticity in pyjwt
Published: April 27, 2026
Security Bulletin ID
SB20260427100
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-32597)
The vulnerability allows a remote attacker to bypass security policy enforcement.
The vulnerability exists due to insufficient verification of data authenticity in the PyJWT token header validation logic when processing JWS tokens with unknown critical header extensions. A remote attacker can send a specially crafted token to bypass security policy enforcement.
This can cause split-brain verification in mixed-library deployments, where other RFC-compliant libraries reject the same token.
Remediation
Install update from vendor's website.