top of page
perceptive_background_267k.jpg

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC al…

Published:

27 mei 2026 om 22:00:00

Alert date:

28 mei 2026 om 17:06:19

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

PyJWT, a JSON Web Token implementation in Python, contains a vulnerability prior to version 2.13.0 where the library fails to validate the use of JSON Web Keys in HMAC algorithms. This flaw allows attackers to use the issuer's public key as the secret key for HMAC algorithm verification when the verifier supports both asymmetric and HMAC algorithms. The vulnerability enables potential token forgery attacks and has been fixed in version 2.13.0.

Technical details

Mitigation steps:

Affected products:

PyJWT

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-48526
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page