Medium severity5.3NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026
CVE-2026-39373
CVE-2026-39373
Description
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jwcryptoPyPI | < 1.5.7 | 1.5.7 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/awxpkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/py3.10-jwcryptopkg:apk/chainguard/py3.11-jwcryptopkg:apk/chainguard/py3.12-jwcryptopkg:apk/chainguard/py3.13-jwcryptopkg:apk/chainguard/py3-jwcryptopkg:apk/wolfi/py3.10-jwcryptopkg:apk/wolfi/py3.11-jwcryptopkg:apk/wolfi/py3.12-jwcryptopkg:apk/wolfi/py3.13-jwcryptopkg:apk/wolfi/py3-jwcryptopkg:pypi/jwcryptopkg:rpm/almalinux/python3-jwcryptopkg:rpm/opensuse/python-jwcrypto&distro=openSUSE%20Tumbleweed
< 2025.12.4-r5+ 19 more
- (no CPE)range: < 2025.12.4-r5
- (no CPE)range: < 2026.2.1-r5
- (no CPE)range: < 2025.12.4-r4
- (no CPE)range: < 2026.2.1-r4
- (no CPE)range: < 24.6.1-r42
- (no CPE)range: < 0.51.0-r4
- (no CPE)range: < 0.51.0-r3
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: < 1.5.7-r0
- (no CPE)range: <= 1.5.6
- (no CPE)range: < 1.5.6-5.el10_2
- (no CPE)range: < 1.5.7-2.1
Patches
Vulnerability mechanics
References
6- github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-fjrm-76x2-c4q4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39373ghsaADVISORY
- github.com/latchset/jwcrypto/commit/25db861d8b29434838669a94a843af03d29ea6edghsaWEB
- github.com/latchset/jwcrypto/releases/tag/v1.5.7ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2026-70.yamlghsaWEB
News mentions
0No linked articles in our index yet.