CVE-2026-32597: CWE-345: Insufficient Verification of Data Authenticity in jpadilla pyjwt
CVE-2026-32597 is a high-severity vulnerability in the PyJWT Python library versions prior to 2. 12. 0. The issue arises because PyJWT does not validate the 'crit' (Critical) header parameter in JSON Web Signature (JWS) tokens as required by RFC 7515 §4. 1. 11. When a token contains a 'crit' array listing extensions that PyJWT does not recognize, the library incorrectly accepts the token instead of rejecting it, violating the RFC's mandatory behavior. This flaw can lead to attackers bypassing signature verification or injecting malicious token content, impacting integrity without requiring authentication or user interaction. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to any system relying on PyJWT for token validation. The issue is fixed in PyJWT version 2.
AI Analysis
Technical Summary
PyJWT is a widely used Python library for encoding and decoding JSON Web Tokens (JWTs), which are commonly employed for authentication and authorization in web applications and APIs. According to RFC 7515 §4.1.11, the 'crit' header parameter in a JWS token is a critical extension indicator that mandates the recipient to understand and process all listed extensions; otherwise, the token must be rejected. Prior to version 2.12.0, PyJWT failed to enforce this requirement, allowing tokens with unrecognized critical extensions to be accepted without proper validation. This constitutes an insufficient verification of data authenticity (CWE-345) and improper restriction of operations within the security policy (CWE-863). An attacker could craft a malicious JWT containing critical extensions that PyJWT ignores, potentially bypassing signature verification or injecting unauthorized claims. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity due to network exploitability, no required privileges or user interaction, and a direct impact on data integrity. The flaw affects all PyJWT versions before 2.12.0 and is resolved by upgrading to 2.12.0 or later. No public exploits have been reported yet, but the vulnerability's nature makes it a serious concern for any application relying on PyJWT for secure token validation.
Potential Impact
The primary impact of this vulnerability is on the integrity of authentication and authorization mechanisms that rely on PyJWT. Attackers could exploit this flaw to craft JWTs that bypass signature verification or inject unauthorized claims, potentially gaining unauthorized access to protected resources or escalating privileges within applications. This undermines trust in token-based security models and can lead to data breaches, unauthorized transactions, or service misuse. Since JWTs are widely used in modern web applications, APIs, and microservices architectures, the vulnerability could affect a broad range of organizations globally, especially those using Python-based backends with PyJWT for session management or API security. The lack of required authentication or user interaction for exploitation increases the risk of automated attacks. Although availability and confidentiality impacts are minimal, the integrity compromise alone is critical for security-sensitive environments.
Mitigation Recommendations
Organizations should immediately audit their use of PyJWT and identify any deployments running versions prior to 2.12.0. The primary mitigation is to upgrade PyJWT to version 2.12.0 or later, where the vulnerability is fixed by proper validation of the 'crit' header parameter according to RFC 7515. Additionally, developers should implement defense-in-depth by validating JWTs at multiple layers, including verifying token claims and signatures explicitly and employing strict schema validation for JWT contents. Security teams should monitor logs for suspicious JWT usage patterns and consider implementing anomaly detection for token anomalies. For environments where immediate upgrade is not feasible, custom patches or token validation wrappers that enforce 'crit' header checks can be applied. Finally, organizations should review their overall JWT usage policies and educate developers about secure JWT handling best practices to prevent similar issues.
Affected Countries
United States, Germany, United Kingdom, France, Canada, Australia, Japan, South Korea, India, Brazil, Netherlands, Sweden, Singapore
CVE-2026-32597: CWE-345: Insufficient Verification of Data Authenticity in jpadilla pyjwt
Description
CVE-2026-32597 is a high-severity vulnerability in the PyJWT Python library versions prior to 2. 12. 0. The issue arises because PyJWT does not validate the 'crit' (Critical) header parameter in JSON Web Signature (JWS) tokens as required by RFC 7515 §4. 1. 11. When a token contains a 'crit' array listing extensions that PyJWT does not recognize, the library incorrectly accepts the token instead of rejecting it, violating the RFC's mandatory behavior. This flaw can lead to attackers bypassing signature verification or injecting malicious token content, impacting integrity without requiring authentication or user interaction. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to any system relying on PyJWT for token validation. The issue is fixed in PyJWT version 2.
AI-Powered Analysis
Technical Analysis
PyJWT is a widely used Python library for encoding and decoding JSON Web Tokens (JWTs), which are commonly employed for authentication and authorization in web applications and APIs. According to RFC 7515 §4.1.11, the 'crit' header parameter in a JWS token is a critical extension indicator that mandates the recipient to understand and process all listed extensions; otherwise, the token must be rejected. Prior to version 2.12.0, PyJWT failed to enforce this requirement, allowing tokens with unrecognized critical extensions to be accepted without proper validation. This constitutes an insufficient verification of data authenticity (CWE-345) and improper restriction of operations within the security policy (CWE-863). An attacker could craft a malicious JWT containing critical extensions that PyJWT ignores, potentially bypassing signature verification or injecting unauthorized claims. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity due to network exploitability, no required privileges or user interaction, and a direct impact on data integrity. The flaw affects all PyJWT versions before 2.12.0 and is resolved by upgrading to 2.12.0 or later. No public exploits have been reported yet, but the vulnerability's nature makes it a serious concern for any application relying on PyJWT for secure token validation.
Potential Impact
The primary impact of this vulnerability is on the integrity of authentication and authorization mechanisms that rely on PyJWT. Attackers could exploit this flaw to craft JWTs that bypass signature verification or inject unauthorized claims, potentially gaining unauthorized access to protected resources or escalating privileges within applications. This undermines trust in token-based security models and can lead to data breaches, unauthorized transactions, or service misuse. Since JWTs are widely used in modern web applications, APIs, and microservices architectures, the vulnerability could affect a broad range of organizations globally, especially those using Python-based backends with PyJWT for session management or API security. The lack of required authentication or user interaction for exploitation increases the risk of automated attacks. Although availability and confidentiality impacts are minimal, the integrity compromise alone is critical for security-sensitive environments.
Mitigation Recommendations
Organizations should immediately audit their use of PyJWT and identify any deployments running versions prior to 2.12.0. The primary mitigation is to upgrade PyJWT to version 2.12.0 or later, where the vulnerability is fixed by proper validation of the 'crit' header parameter according to RFC 7515. Additionally, developers should implement defense-in-depth by validating JWTs at multiple layers, including verifying token claims and signatures explicitly and employing strict schema validation for JWT contents. Security teams should monitor logs for suspicious JWT usage patterns and consider implementing anomaly detection for token anomalies. For environments where immediate upgrade is not feasible, custom patches or token validation wrappers that enforce 'crit' header checks can be applied. Finally, organizations should review their overall JWT usage policies and educate developers about secure JWT handling best practices to prevent similar issues.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-12T14:54:24.269Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b3375b2f860ef943024596
Added to database: 3/12/2026, 9:59:55 PM
Last enriched: 3/12/2026, 10:14:06 PM
Last updated: 3/13/2026, 12:05:54 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.