Skip to main content

PyJWT CVE-2026-48522

| EUVDEUVD-2026-32915 MEDIUM
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-05-28 GitHub_M GHSA-993g-76c3-p5m4 PYSEC-2026-175
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.2 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 17:01 EUVD
Analysis Generated
May 28, 2026 - 15:55 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 40,697 pypi packages depend on pyjwt (4,610 direct, 36,482 indirect)

Ecosystem-wide dependent count for version 2.13.0.

DescriptionGitHub Advisory

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0.

AnalysisAI

PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.

Technical ContextAI

PyJWT is the dominant Python library for JSON Web Token creation and validation (CPE: cpe:2.3:a:jpadilla:pyjwt:*:*:*:*:*:*:*:*). PyJWKClient is its helper class for fetching JSON Web Key Sets (JWKS) from a remote URI to validate token signatures. The vulnerability arises because PyJWKClient passes the supplied uri argument directly to Python's urllib.request.urlopen(), which uses the default OpenerDirector. That director registers handlers for HTTP, HTTPS, FTP, file://, and data-URI schemes with no application-level filtering. CWE-441 (Unintended Proxy or Intermediary) precisely characterizes the root cause: PyJWKClient acts as an unrestricted intermediary fetching resources on behalf of whoever controls the URI, regardless of scheme. The library does not directly return non-HTTP(S) content to the caller, meaning simple file exfiltration requires an additional application flaw; however, side-channel behaviors (error messages, timing, DNS lookups) can still leak information about internal resources.

RemediationAI

Upgrade PyJWT to version 2.13.0, which is confirmed as the vendor-released fix per the GitHub Security Advisory GHSA-993g-76c3-p5m4 at https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4. The fix restricts PyJWKClient to HTTP and HTTPS schemes only, eliminating the file://, FTP, and data-URI attack surface. For deployments where an immediate upgrade is not possible, the most effective compensating control is to refactor the application to pass only a hardcoded, allow-listed JWKS URI to PyJWKClient rather than accepting the jku value from incoming JWT headers or external parameters; this eliminates attacker influence over the URI entirely and does not require changes to PyJWT itself. A secondary control is to apply egress network filtering that blocks the process running PyJWKClient from making non-HTTP(S) outbound connections, mitigating FTP and local file access at the network layer without addressing the root cause. Neither workaround substitutes for patching, as both introduce operational complexity and leave the underlying unfiltered call intact.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed

Share

CVE-2026-48522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy