CVE-2026-48523

Published: Mag 28, 2026 Last Modified: Mag 28, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,4
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0.

347

Improper Verification of Cryptographic Signature

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality
Potential Impacts:
Gain Privileges Or Assume Identity Modify Application Data Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-…
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-…
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f