PyJWT is a widely used Python library for creating and verifying JSON Web Tokens (JWTs), which are commonly employed for authentication and authorization in web applications and APIs. The vulnerability identified as CVE-2026-32597 stems from PyJWT's failure to properly validate the 'crit' (Critical) header parameter in JWS tokens prior to version 2.12.0. According to RFC 7515 §4.1.11, the 'crit' header indicates which extensions are critical for processing the token, and any extensions listed therein that the implementation does not understand must cause the token to be rejected. PyJWT's improper handling means that tokens containing unknown critical extensions are accepted rather than rejected, violating the RFC's MUST requirement. This can allow attackers to craft malicious tokens with unrecognized critical extensions that bypass security checks or introduce unauthorized claims, undermining the integrity of the token validation process. The vulnerability does not impact confidentiality or availability directly but compromises the trustworthiness of token-based authentication. Exploitation is straightforward as it requires no authentication or user interaction and can be executed remotely by submitting crafted tokens to vulnerable services. The issue is resolved in PyJWT version 2.12.0, where proper validation of the 'crit' header is enforced. No known exploits are currently reported in the wild, but the high CVSS score of 7.5 reflects the significant risk posed by this flaw.

The vulnerability affects the integrity of JWT validation in applications using PyJWT versions prior to 2.12.0. Attackers can exploit this flaw to bypass security controls by presenting tokens with unrecognized critical extensions that are accepted rather than rejected. This can lead to unauthorized access, privilege escalation, or manipulation of application logic that relies on JWT claims for authorization decisions. Since JWTs are widely used for session management, API authentication, and federated identity, the impact can be broad, affecting web applications, microservices, and APIs globally. The flaw does not compromise confidentiality or availability directly but undermines trust in authentication mechanisms, potentially enabling attackers to impersonate users or escalate privileges without detection. Organizations relying on PyJWT for security-critical functions face increased risk of unauthorized access and data integrity violations until patched.

The primary mitigation is to upgrade PyJWT to version 2.12.0 or later, where the 'crit' header parameter is properly validated in compliance with RFC 7515. Organizations should audit their codebases and dependencies to identify usage of vulnerable PyJWT versions and prioritize patching. Additionally, implement defense-in-depth by validating JWTs at multiple layers, including API gateways or identity providers, to detect malformed or suspicious tokens. Employ strict token validation policies that reject tokens with unknown or unexpected header parameters. Monitoring and logging JWT validation failures can help detect exploitation attempts. For environments where immediate upgrade is not feasible, consider implementing custom validation logic to enforce 'crit' header checks or temporarily disable acceptance of tokens with critical extensions until patched. Finally, educate developers and security teams about the importance of adhering to JWT standards and promptly applying security updates.