Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-48523— PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

CVSS 5.4 · Medium EPSS 0.02% · P6

Possible ATT&CK Techniques 1AI

T1556 · Modify Authentication Process

Affected Version Matrix 1

VendorProductVersion RangeStatus
jpadillapyjwt>= 2.9.0, < 2.13.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48523

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
Source: NVD (National Vulnerability Database)
Vulnerability Description
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyjwt 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyjwt是美国José Padilla个人开发者的一个 Python 库。允许对 JSON Web 令牌(JWT)进行编码和解码。 pyjwt 2.9.0版本至2.12.1版本存在安全漏洞,该漏洞源于当使用PyJWK密钥调用jwt.decode()或jwt.decode_complete()时,验证器端算法允许列表被绕过,令牌头算法与调用者提供的算法允许列表进行比对,但签名验证使用绑定到PyJWK对象的算法而非头算法,导致攻击者可以使用不允许的算法签名,在JWT头中声明允许的算法,仍被接受。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
jpadillapyjwt >= 2.9.0, < 2.13.0 -

II. Public POCs for CVE-2026-48523

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48523

登录查看更多情报信息。

Vendor Advisories for CVE-2026-48523 (1)

Same Patch Batch · jpadilla · 2026-05-28 · 5 CVEs total

CVE-2026-485267.4 HIGHPyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed famil
CVE-2026-485255.3 MEDIUMPyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b
CVE-2026-485224.2 MEDIUMPyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, da
CVE-2026-485243.7 LOWPyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (Do

IV. Related Vulnerabilities

Same product: pyjwt
Same vendor: jpadilla
Same weakness: CWE-347

V. Comments for CVE-2026-48523

No comments yet

Leave a comment