CVE-2026-48526: CWE-287: Improper Authentication in jpadilla pyjwt
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
AI Analysis
Technical Summary
PyJWT is a Python library for JSON Web Token implementation. Before version 2.13.0, when decoding JWTs supporting both asymmetric and HMAC algorithms, the library did not properly validate the use of JSON Web Keys in HMAC algorithms. This allowed an attacker to use the issuer's public key as the secret key for HMAC, bypassing intended authentication controls. This vulnerability is tracked as CVE-2026-48526 and is classified under CWE-287 and CWE-347. The vulnerability has a CVSS score of 7.4, reflecting a high impact on confidentiality and integrity but no impact on availability. The issue is resolved in PyJWT 2.13.0.
Potential Impact
Successful exploitation could allow an attacker to forge or manipulate JSON Web Tokens by using the issuer's public key as the HMAC secret key, potentially leading to unauthorized access or privilege escalation. The vulnerability impacts the confidentiality and integrity of JWT-based authentication mechanisms. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 2.13.0, applying this official fix is the recommended remediation. No other mitigation or temporary workaround is indicated.
CVE-2026-48526: CWE-287: Improper Authentication in jpadilla pyjwt
Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
CVSS v3.1
Score 7.4high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PyJWT is a Python library for JSON Web Token implementation. Before version 2.13.0, when decoding JWTs supporting both asymmetric and HMAC algorithms, the library did not properly validate the use of JSON Web Keys in HMAC algorithms. This allowed an attacker to use the issuer's public key as the secret key for HMAC, bypassing intended authentication controls. This vulnerability is tracked as CVE-2026-48526 and is classified under CWE-287 and CWE-347. The vulnerability has a CVSS score of 7.4, reflecting a high impact on confidentiality and integrity but no impact on availability. The issue is resolved in PyJWT 2.13.0.
Potential Impact
Successful exploitation could allow an attacker to forge or manipulate JSON Web Tokens by using the issuer's public key as the HMAC secret key, potentially leading to unauthorized access or privilege escalation. The vulnerability impacts the confidentiality and integrity of JWT-based authentication mechanisms. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 2.13.0, applying this official fix is the recommended remediation. No other mitigation or temporary workaround is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T16:18:10.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a186056e29bf47b500b42de
Added to database: 5/28/2026, 3:33:42 PM
Last enriched: 5/28/2026, 3:48:27 PM
Last updated: 5/28/2026, 10:53:51 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.