Skip to main content

Python CVE-2026-32597

| EUVDEUVD-2026-11728 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-13 security-advisories@github.com GHSA-752w-5fwx-jx9f
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 20:00 euvd
EUVD-2026-11728
Analysis Generated
Mar 13, 2026 - 20:00 vuln.today
CVE Published
Mar 13, 2026 - 19:55 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 21 pypi packages depend on pyjwt (18 direct, 3 indirect)

Ecosystem-wide dependent count for version 2.12.0.

DescriptionCVE.org

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

AnalysisAI

PyJWT versions before 2.12.0 fail to validate the 'crit' (Critical) header parameter in JSON Web Signatures (JWS), accepting tokens with unrecognized critical extensions instead of rejecting them as required by RFC 7515. This allows attackers to potentially bypass security mechanisms by injecting malicious critical extensions that the library ignores, leading to integrity compromise. With an EPSS score of only 0.01% and no KEV listing, this represents a low real-world exploitation risk despite the high CVSS score.

Technical ContextAI

PyJWT is a Python implementation of JSON Web Tokens (JWT) used for secure information exchange. The vulnerability stems from improper validation of the 'crit' header parameter defined in RFC 7515 §4.1.11, which lists critical extensions that MUST be understood and processed by the implementation. The CWE-345 classification indicates insufficient verification of data authenticity, where PyJWT accepts tokens containing unknown critical extensions rather than rejecting them. This violates the JWT specification's security requirements for handling critical headers.

RemediationAI

Update PyJWT to version 2.12.0 or later, which includes the fix for proper 'crit' header validation. The GitHub Security Advisory (GHSA-752w-5fwx-jx9f) provides detailed information about the fix. No workarounds are mentioned in the available references. Organizations should audit their Python dependencies and update any applications using PyJWT versions below 2.12.0.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.74 Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.50 Image SL-Micro Affected
Container suse/sl-micro/6.0/toolbox:latest Affected
Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-32597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy