CVE-2026-32597
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
| CWE | CWE-345 CWE-863 |
| Vendor | jpadilla |
| Product | pyjwt |
| Published | Mar 12, 2026 |
| Last Updated | Mar 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for jpadilla pyjwt
Be the first to know when new high vulnerabilities affecting jpadilla pyjwt are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
jpadilla / pyjwt
< 2.12.0