PatchSiren cyber security CVE debrief
CVE-2026-48526 jpadilla CVE debrief
CVE-2026-48526 is a HIGH severity vulnerability (CVSS 7.4) in PyJWT, a widely-used JSON Web Token implementation for Python. The flaw exists in versions prior to 2.13.0 and stems from improper validation when the library supports both asymmetric (public-key) and HMAC (symmetric) algorithms. Specifically, when decoding JWTs, PyJWT fails to validate the use of JSON Web Keys (JWK) in HMAC algorithm contexts. This allows an attacker to use the issuer's public key—which is typically publicly available—as the secret key for HMAC verification. The vulnerability was published to the CVE database on 2026-05-28 and remains under analysis by NVD as of that date. The issue is classified under CWE-287 (Improper Authentication) and CWE-347 (Improper Verification of Cryptographic Signature). Users should upgrade to PyJWT 2.13.0 or later to remediate this vulnerability.
- Vendor
- jpadilla
- Product
- pyjwt
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations using PyJWT for JWT verification with mixed algorithm support, particularly those exposing public keys that could be repurposed by attackers. Developers implementing authentication systems, API gateways, or microservices using PyJWT should prioritize this update.
Technical summary
The vulnerability arises from PyJWT's failure to properly validate JSON Web Key usage when HMAC algorithms are employed alongside asymmetric algorithms. In JWT implementations supporting both algorithm types, an attacker can exploit this by using the publicly available RSA/EC public key as the HMAC secret key. Since HMAC verification uses symmetric secrets, and the public key is known, the attacker can forge valid JWT signatures that the verifier accepts. This represents a classic 'algorithm confusion' attack variant specific to JWK handling. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates network attack vector, high attack complexity, no privileges required, no user interaction, with high impact to confidentiality and integrity but no availability impact.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade PyJWT to version 2.13.0 or later
- Review application JWT verification configurations to ensure algorithm validation is strict
- Audit existing JWT implementations for mixed asymmetric/HMAC algorithm support
- Monitor PyJWT security advisories for additional guidance
Evidence notes
Vulnerability description and CVSS data sourced from NVD official record. Fix version 2.13.0 confirmed in CVE description. CWE classifications and advisory reference from NVD source metadata. NVD status indicates 'Undergoing Analysis' as of 2026-05-28.
Official resources
-
CVE-2026-48526 CVE record
CVE.org
-
CVE-2026-48526 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28