Main Vulnerability Database Vulnerabilities #VU132105

Improper Verification of Cryptographic Signature in pyjwt - #VU132105

Published: May 21, 2026

Vulnerability identifier: #VU132105

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: jpadilla (José Padilla)

Affected software:
pyjwt

Detailed vulnerability description

The vulnerability allows a remote attacker to forge JWT tokens and impersonate users.

The vulnerability exists due to improper verification of cryptographic signature in the JWT verification logic when decoding JSON Web Tokens with both symmetric and asymmetric algorithms enabled and a raw JSON Web Key supplied as the key. A remote attacker can supply a token that specifies HS256 and sign it using the issuer public JWK as the HMAC secret to forge JWT tokens and impersonate users.

Exploitation requires the verifier to allow HS* and an asymmetric algorithm in the same call and to pass a public-key value as the key.

Remediation

Install security update from vendor's website.

Sources

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

Improper Verification of Cryptographic Signature in pyjwt - #VU132105

Detailed vulnerability description

Remediation

Sources

Please verify you're human