CVE-2026-48524: CWE-460: Improper Cleanup on Thrown Exception in jpadilla pyjwt
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
AI Analysis
Technical Summary
The vulnerability in PyJWT (CVE-2026-48524) involves improper cleanup on thrown exceptions related to JWKS fetching. Specifically, the PyJWKClient.get_signing_key() method forces a new HTTP request to the JWKS endpoint for every JWT with an unknown 'kid' header value, without rate limiting. Since 'kid' is extracted from an unverified token header, an attacker can trigger unlimited outbound requests, potentially causing denial of service conditions. The exploitability depends on the JWKS endpoint's error handling and rate limiting. This flaw is addressed in PyJWT version 2.13.0.
Potential Impact
The vulnerability can lead to low-severity denial of service conditions by causing the client to make unlimited outbound HTTP requests to the JWKS endpoint when processing JWTs with unknown 'kid' values. This may exhaust client or network resources. There is no impact on confidentiality or integrity. The attack depends on the JWKS endpoint's behavior and only occurs when JWKS fetches fail.
Mitigation Recommendations
Upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed. Since no official patch link or remediation level is explicitly provided, users should verify the upgrade availability from the vendor's official sources. No additional mitigations are indicated.
CVE-2026-48524: CWE-460: Improper Cleanup on Thrown Exception in jpadilla pyjwt
Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
CVSS v3.1
Score 3.7low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in PyJWT (CVE-2026-48524) involves improper cleanup on thrown exceptions related to JWKS fetching. Specifically, the PyJWKClient.get_signing_key() method forces a new HTTP request to the JWKS endpoint for every JWT with an unknown 'kid' header value, without rate limiting. Since 'kid' is extracted from an unverified token header, an attacker can trigger unlimited outbound requests, potentially causing denial of service conditions. The exploitability depends on the JWKS endpoint's error handling and rate limiting. This flaw is addressed in PyJWT version 2.13.0.
Potential Impact
The vulnerability can lead to low-severity denial of service conditions by causing the client to make unlimited outbound HTTP requests to the JWKS endpoint when processing JWTs with unknown 'kid' values. This may exhaust client or network resources. There is no impact on confidentiality or integrity. The attack depends on the JWKS endpoint's behavior and only occurs when JWKS fetches fail.
Mitigation Recommendations
Upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed. Since no official patch link or remediation level is explicitly provided, users should verify the upgrade availability from the vendor's official sources. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T16:18:10.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a186056e29bf47b500b42d8
Added to database: 5/28/2026, 3:33:42 PM
Last enriched: 5/28/2026, 3:49:42 PM
Last updated: 5/28/2026, 10:52:52 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.