PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
Summary
| CVE | CVE-2026-32597 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-13 19:55:09 UTC |
| Updated | 2026-07-10 12:16:39 UTC |
| Description | PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS: 0.002690000 probability, percentile 0.185400000 (date 2026-07-13)
Problem Types: CWE-345 | CWE-863 | CWE-347 | CWE-345 CWE-345: Insufficient Verification of Data Authenticity | CWE-863 CWE-863: Incorrect Authorization | CWE-347 Improper Verification of Cryptographic Signature
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Pyjwt Project | Pyjwt | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:17083 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13512 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8437 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13916 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19355 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-32597 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13553 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21431 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24977 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:6720 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13508 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8747 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6568 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10184 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10140 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32597.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21517 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19375 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| lists.debian.org/debian-lts-announce/2026/05/msg00008.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| access.redhat.com/errata/RHSA-2026:12176 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10141 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6912 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6926 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8746 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8748 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13672 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19138 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26226 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13545 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19712 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22330 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-12T22:01:29.967Z | Reported to Red Hat. |
| ADP | 2026-03-12T21:41:50.427Z | Made public. |
Solutions
ADP: RHSA-2026:13512: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9
ADP: RHSA-2026:13508: Red Hat Ansible Automation Platform 2.6 for RHEL 9
ADP: RHSA-2026:17083: Red Hat Enterprise Linux AppStream EUS (v. 10.0)
ADP: RHSA-2026:13916: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:19138: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:12176: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux HighAvailability (v. 8), Red Hat Enterprise Linux ResilientStorage (v. 8)
ADP: RHSA-2026:22330: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux High Availability E4S (v.9.2), Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)
ADP: RHSA-2026:21517: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux High Availability EUS (v.9.4), Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)
ADP: RHSA-2026:21431: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:13672: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:19355: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:8748: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:8746: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:8747: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:13553: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:10140: Red Hat Enterprise Linux AI 3.3
ADP: RHSA-2026:10141: Red Hat Enterprise Linux AI 3.3
ADP: RHSA-2026:10184: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:24977: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:37275: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:19712: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:6912: Red Hat Quay 3.10
ADP: RHSA-2026:6720: Red Hat Quay 3.12
ADP: RHSA-2026:6568: Red Hat Quay 3.15
ADP: RHSA-2026:19375: Red Hat Quay 3.16
ADP: RHSA-2026:6926: Red Hat Quay 3.9
ADP: RHSA-2026:26226: Red Hat Satellite 6.18
ADP: RHSA-2026:8437: Red Hat Trusted Artifact Signer 1.4
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.