CVE-2026-48522: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') in jpadilla pyjwt
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0.
AI Analysis
Technical Summary
PyJWT versions before 2.13.0 contain a vulnerability where PyJWKClient does not restrict URI schemes when fetching keys, passing the URI directly to urllib.request.urlopen(). This allows an attacker who can influence the jku URL to cause Server-Side Request Forgery (SSRF) to local files (file://), FTP, or data URIs. While the library does not directly expose non-HTTP(S) contents to attackers, chained exploitation with additional application flaws could enable token forgery. The issue is addressed in PyJWT 2.13.0.
Potential Impact
An attacker able to control the jku URL input to PyJWKClient can cause the library to fetch arbitrary local files or perform SSRF via non-HTTP(S) schemes, potentially leading to information disclosure or token forgery if combined with other application vulnerabilities. The direct impact is limited by the need for attacker influence over jku URLs and additional flaws for full token forgery. No known active exploitation has been reported.
Mitigation Recommendations
A fix is available in PyJWT version 2.13.0. Users should upgrade to this version or later to address the vulnerability. Since this is a cloud-hosted service, the vendor manages remediation for the cloud environment. Check the vendor advisory for confirmation and further guidance. No additional mitigation is indicated by the vendor advisory.
CVE-2026-48522: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') in jpadilla pyjwt
Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0.
CVSS v3.1
Score 4.2medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PyJWT versions before 2.13.0 contain a vulnerability where PyJWKClient does not restrict URI schemes when fetching keys, passing the URI directly to urllib.request.urlopen(). This allows an attacker who can influence the jku URL to cause Server-Side Request Forgery (SSRF) to local files (file://), FTP, or data URIs. While the library does not directly expose non-HTTP(S) contents to attackers, chained exploitation with additional application flaws could enable token forgery. The issue is addressed in PyJWT 2.13.0.
Potential Impact
An attacker able to control the jku URL input to PyJWKClient can cause the library to fetch arbitrary local files or perform SSRF via non-HTTP(S) schemes, potentially leading to information disclosure or token forgery if combined with other application vulnerabilities. The direct impact is limited by the need for attacker influence over jku URLs and additional flaws for full token forgery. No known active exploitation has been reported.
Mitigation Recommendations
A fix is available in PyJWT version 2.13.0. Users should upgrade to this version or later to address the vulnerability. Since this is a cloud-hosted service, the vendor manages remediation for the cloud environment. Check the vendor advisory for confirmation and further guidance. No additional mitigation is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T16:18:10.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a186056e29bf47b500b42d2
Added to database: 5/28/2026, 3:33:42 PM
Last enriched: 5/28/2026, 3:50:15 PM
Last updated: 5/29/2026, 8:21:06 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.