Main Vulnerability Database Vulnerabilities #VU132103

Improper Cleanup on Thrown Exception in pyjwt - #VU132103

Published: May 21, 2026

Vulnerability identifier: #VU132103

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-460

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: jpadilla (José Padilla)

Affected software:
pyjwt

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper cleanup on thrown exception in PyJWKClient.get_signing_key() and fetch_data() when processing JWTs with attacker-controlled unknown kid values and JWKS fetch failures. A remote attacker can send JWTs with unknown kid values to cause a denial of service.

The issue can reduce authentication availability until the next successful JWKS fetch, and the outcome depends on upstream JWKS endpoint behavior such as rate limiting or transient errors.

Remediation

Install security update from vendor's website.

Sources

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8

Improper Cleanup on Thrown Exception in pyjwt - #VU132103

Detailed vulnerability description

Remediation

Sources

Please verify you're human