CVE-2026-32597

NameCVE-2026-32597
DescriptionPyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 ยง4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pyjwt (PTS)bullseye1.7.1-2vulnerable
bookworm2.6.0-1vulnerable
trixie2.10.1-2vulnerable
forky, sid2.11.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pyjwtsource(unstable)(unfixed)

Notes

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
Fixed by: https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 (2.12.0)
Search for package or bug name: Reporting problems