Insufficient verification of data authenticity in pyjwt - CVE-2026-32597
Published: April 27, 2026
Vulnerability identifier: #VU128143
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32597
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
pyjwt
pyjwt
Software vendor:
jpadilla (José Padilla)
jpadilla (José Padilla)
Description
The vulnerability allows a remote attacker to bypass security policy enforcement.
The vulnerability exists due to insufficient verification of data authenticity in the PyJWT token header validation logic when processing JWS tokens with unknown critical header extensions. A remote attacker can send a specially crafted token to bypass security policy enforcement.
This can cause split-brain verification in mixed-library deployments, where other RFC-compliant libraries reject the same token.
Remediation
Install security update from vendor's website.