PatchSiren cyber security CVE debrief
CVE-2026-32597 Pyjwt Project CVE debrief
CVE-2026-32597 is a high-severity vulnerability in PyJWT, a JSON Web Token implementation in Python. The vulnerability allows attackers to bypass critical (crit) Header Parameter validation as defined in RFC 7515 §4.1.11. Prior to version 2.12.0, PyJWT does not properly validate the crit array listing extensions it does not understand, potentially leading to security risks. This vulnerability has been fixed in PyJWT version 2.12.0. Multiple sources, including GitHub and Red Hat, have provided advisories and patches for this vulnerability.
- Vendor
- Pyjwt Project
- Product
- Pyjwt
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-13
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-13
- Advisory updated
- 2026-06-30
Who should care
Users of PyJWT, especially those using versions prior to 2.12.0, should be aware of this vulnerability and take steps to upgrade or mitigate the risk. This includes developers and administrators working with JSON Web Tokens in Python applications. Given the high CVSS score of 7.5, organizations should prioritize patching or applying compensating controls.
Technical summary
The vulnerability in PyJWT arises from the library's failure to validate the crit (Critical) Header Parameter as specified in RFC 7515 §4.1.11. When a JWS token contains a crit array with extensions that PyJWT does not understand, the library incorrectly accepts the token instead of rejecting it. This behavior violates the MUST requirement in the RFC, potentially allowing for security bypasses. The issue is addressed in PyJWT version 2.12.0, which properly handles the validation of critical header parameters.
Defensive priority
High priority should be given to upgrading PyJWT to version 2.12.0 or later. In the interim, defenders should closely monitor token validation processes and consider implementing additional security controls to mitigate potential risks.
Recommended defensive actions
- Upgrade PyJWT to version 2.12.0 or later.
- Review and update token validation processes to ensure proper handling of critical header parameters.
- Monitor for and respond to potential security incidents related to JSON Web Token processing.
- Apply patches and advisories provided by vendors and open-source maintainers.
- Consider implementing compensating controls, such as additional validation layers or security monitoring.
Evidence notes
The CVE-2026-32597 vulnerability is documented in multiple sources, including the official CVE record, NVD details, and various vendor advisories. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. PyJWT versions prior to 2.12.0 are affected, and the issue is addressed in version 2.12.0. Various Red Hat errata and GitHub advisories provide additional context and mitigation strategies.
Official resources
-
CVE-2026-32597 CVE record
CVE.org
-
CVE-2026-32597 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.