What is the CVSS score of CVE-2026-48526?

CVE-2026-48526 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N.

Which versions of PyJWT are affected by CVE-2026-48526?

PyJWT versions prior to 2.13.0 contain an algorithm confusion vulnerability (CVE-2026-48526, CVSS 7.4) enabling attackers to forge valid authentication tokens and bypass access controls; no public…. A patch is available.

PyJWT CVE-2026-48526

EUVD-2026-32917 HIGH

Improper Authentication (CWE-287)

2026-05-28 GitHub_M

Authentication Bypass Python

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 28, 2026 - 17:01 EUVD

Analysis Generated

May 28, 2026 - 15:50 vuln.today

DescriptionNVD

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

AnalysisAI

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. …

RemediationAI

24 hours: Conduct comprehensive inventory of all PyJWT deployments; identify applications using PyJWT versions prior to 2.13.0; document all affected versions and locations. 7 days: No vendor-released patch identified at time of analysis; immediately deploy compensating controls listed below; subscribe to PyJWT security advisories for patch notification. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48526 vulnerability details – vuln.today

Back

PyJWT CVE-2026-48526

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code