CVE-2026-48524

LOW 3.7

PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.

CWE	CWE-460 CWE-755
Vendor	jpadilla
Product	pyjwt
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for jpadilla pyjwt

Be the first to know when new low vulnerabilities affecting jpadilla pyjwt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

jpadilla / pyjwt

< 2.13.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8