CVE-2026-48524 jpadilla CVE debrief

Who should care

Organizations using PyJWT with `PyJWKClient` for JWT validation in production environments, particularly those with external JWKS dependencies or strict availability requirements.

Technical summary

The vulnerability exists in `PyJWKClient.get_signing_key()` which, prior to 2.13.0, performs an unconditional HTTP fetch to the JWKS endpoint when presented with a JWT bearing an unrecognized `kid`. The `kid` value is attacker-controlled via the unverified JWT header. While each request requires a valid JWT structure, the absence of caching or rate limiting allows an attacker to generate unlimited unique `kid` values, each triggering a fresh network request. The attack surface is constrained: successful exploitation requires the JWKS endpoint to fail or become unavailable, and the attacker's ability to influence this depends on external factors. The fix in 2.13.0 introduces proper handling to prevent unbounded requests.

Defensive priority

LOW

Recommended defensive actions

• Upgrade PyJWT to version 2.13.0 or later to obtain the fix for unbounded JWKS endpoint requests
• Implement network-level rate limiting on outbound connections to JWKS endpoints as a defense-in-depth measure
• Monitor for abnormal volumes of JWT validation failures with unknown kid values in application logs
• Consider caching JWKS responses with appropriate TTL to reduce dependency on real-time endpoint availability
• Review application architecture to ensure JWKS endpoint failures fail safely without cascading service degradation

Evidence notes

CVE published 2026-05-28T16:16:29.403Z; modified 2026-05-28T18:03:16.223Z. CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. Weaknesses: CWE-460 (Improper Cleanup on Thrown Exception), CWE-755 (Improper Handling of Exceptional Conditions).

Official resources