top of page
perceptive_background_267k.jpg

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC al…

Published:

27 May 2026 at 22:00:00

Alert date:

28 May 2026 at 19:09:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Identity & Access

PyJWT, a JSON Web Token implementation in Python, contains a vulnerability prior to version 2.13.0 where the library fails to validate the use of JSON Web Keys in HMAC algorithms. This flaw allows attackers to use the issuer's public key as the secret key for HMAC algorithm verification, potentially leading to token forgery and authentication bypass. The vulnerability affects JWT verification when both asymmetric and HMAC algorithms are supported. The issue has been fixed in PyJWT version 2.13.0.

Technical details

Mitigation steps:

Affected products:

PyJWT

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-48526
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page