High severity7.5NVD Advisory· Published Mar 20, 2026· Updated Apr 10, 2026
CVE-2026-33204
CVE-2026-33204
Description
SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kelvinmo/simplejwtPackagist | < 1.1.1 | 1.1.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339xnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-xw36-67f8-339xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33204ghsaADVISORY
- github.com/kelvinmo/simplejwt/releases/tag/v1.1.1nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.