SB20260625276 - SUSE update for python-PyJWT
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-48522)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery in PyJWKClient when processing attacker-influenced JKU URLs. A remote attacker can supply a URL using the file://, ftp://, or data: scheme to disclose sensitive information.
User interaction is required, and exploitation depends on an application passing an attacker-influenced jku value to PyJWKClient.
2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-48523)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass algorithm policy enforcement.
The vulnerability exists due to improper verification of cryptographic signature in the PyJWK verification path when decoding JWTs with PyJWK or PyJWKClient-derived keys. A remote user can sign a token with a disallowed algorithm while advertising an allowed algorithm in the JWT header to bypass algorithm policy enforcement.
Exploitation requires control of a registered JWK or JWKS private key, such as in multi-tenant or federation-style trust models.
3) Resource exhaustion (CVE-ID: CVE-2026-48525)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in PyJWS.decode(), PyJWS.decode_complete(), and _load() in jwt/api_jws.py when verifying detached JWS tokens with the unencoded-payload option (b64=false). A remote attacker can send a specially crafted JWS token with an oversized Base64URL payload segment to cause a denial of service.
Practical impact depends on whether upstream components enforce request body-size limits.
4) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-48526)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to forge JWT tokens and impersonate users.
The vulnerability exists due to improper verification of cryptographic signature in the JWT verification logic when decoding JSON Web Tokens with both symmetric and asymmetric algorithms enabled and a raw JSON Web Key supplied as the key. A remote attacker can supply a token that specifies HS256 and sign it using the issuer public JWK as the HMAC secret to forge JWT tokens and impersonate users.
Exploitation requires the verifier to allow HS* and an asymmetric algorithm in the same call and to pass a public-key value as the key.
Remediation
Install update from vendor's website.