CVE-2026-33204 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in the simplejwt PHP library developed by kelvinmo. The flaw exists in versions prior to 1.1.1 and specifically affects the decryption process of JSON Web Encryption (JWE) tokens when PBES2 (Password-Based Encryption Scheme 2) algorithms are employed. An attacker can craft malicious JWE tokens with tampered headers that, when processed by the vulnerable JWE::decrypt() function, cause excessive resource consumption such as CPU or memory exhaustion. This leads to a Denial of Service (DoS) condition, rendering the application or service unavailable. The attack vector requires no authentication or user interaction, and can be executed remotely by sending specially crafted tokens to the affected application. The vulnerability does not impact confidentiality or integrity of data but solely availability. The issue was identified and patched in version 1.1.1 of simplejwt. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 7.5, reflecting high severity due to ease of exploitation and significant impact on availability. This vulnerability is critical for applications that rely on simplejwt for JWT handling, especially those exposed to untrusted inputs or public-facing APIs that decrypt JWE tokens using PBES2 algorithms.

The primary impact of CVE-2026-33204 is Denial of Service, which can disrupt the availability of web applications or services using vulnerable versions of simplejwt for JWT decryption with PBES2 algorithms. Organizations relying on this library may experience service outages or degraded performance, potentially affecting user experience and business operations. Since the attack requires no authentication and can be triggered remotely, it poses a significant risk to internet-facing applications. While confidentiality and integrity are not compromised, the loss of availability can lead to operational downtime, loss of customer trust, and potential financial losses. In environments where JWTs are critical for authentication or session management, disruption can cascade to broader system impacts. The absence of known exploits in the wild suggests limited current exploitation, but the vulnerability’s high severity and ease of exploitation warrant urgent remediation. Organizations with automated systems or APIs processing JWTs are particularly vulnerable to resource exhaustion attacks leveraging this flaw.

To mitigate CVE-2026-33204, organizations should immediately upgrade the simplejwt library to version 1.1.1 or later, where the vulnerability has been patched. Additionally, implement strict input validation and filtering on JWT tokens received from untrusted sources to detect and reject malformed or suspicious JWE headers. Employ rate limiting and anomaly detection on endpoints that process JWTs to prevent abuse through repeated malicious requests. Consider deploying Web Application Firewalls (WAFs) with custom rules to block known attack patterns targeting JWT decryption. Monitor application logs for unusual spikes in resource usage or errors related to JWT processing. For critical systems, isolate JWT processing components and apply resource usage quotas to limit the impact of potential resource exhaustion. Regularly review and update dependencies to incorporate security patches promptly. Finally, educate development teams about secure JWT handling practices and the risks of processing attacker-controlled tokens without validation.