CVE-2026-48523
Description
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PyJWT 2.9.0 to 2.12.1 has an algorithm allow-list bypass when decoding JWTs with PyJWK keys, letting an attacker with a registered key sign using a disallowed algorithm.
Vulnerability
PyJWT versions 2.9.0 through 2.12.1 contain an algorithm allow-list bypass in the jwt.decode() and jwt.decode_complete() functions when a PyJWK key is provided. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification uses the algorithm bound to the PyJWK object instead of the header algorithm. This affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. The flaw is present in jwt/api_jws.py where _verify_signature() treats PyJWK keys differently from normal PEM/public-key inputs [1].
Exploitation
An attacker must control a registered JWK/JWKS private key. The attacker signs a JWT with a disallowed algorithm (e.g., none or a weak algorithm like HS256 if the allow-list only permits RS256), but sets the JWT header alg to an allowed value. When the verifier decodes the token using jwt.decode() or jwt.decode_complete() with a PyJWK key, the header algorithm check passes (because it matches the allow-list), but signature verification uses the algorithm from the PyJWK object, thus accepting the token [1]. No user interaction is required beyond the verifier processing the malicious JWT.
Impact
Successful exploitation allows an attacker to forge JWTs that are accepted by the verifier. This can lead to authentication or authorization bypass if the algorithm policy functions as an access control boundary. The attacker can impersonate any subject, escalate privileges, or gain unauthorized access to protected resources. In deployments where the algorithm policy merely enforces crypto agility, the practical confidentiality impact is lower, but the integrity of policy enforcement is still compromised [1].
Mitigation
The vulnerability is fixed in PyJWT version 2.13.0. Users should upgrade to 2.13.0 or later. If immediate upgrade is not possible, ensure that JWK/JWKS keys used in PyJWKClient are strictly controlled and trusted. However, no complete workaround exists without upgrading, as the bypass affects the core verification logic [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.9.0 - 2.12.1
Patches
1ab8176abe21eDecode with PyJWK (#886)
6 files changed · +88 −17
docs/usage.rst+2 −4 modified@@ -291,8 +291,7 @@ Retrieve RSA signing keys from a JWKS endpoint >>> signing_key = jwks_client.get_signing_key_from_jwt(token) >>> data = jwt.decode( ... token, - ... signing_key.key, - ... algorithms=["RS256"], + ... signing_key, ... audience="https://expenses-api", ... options={"verify_exp": False}, ... ) @@ -356,8 +355,7 @@ is not built into pyjwt. # now, decode_complete to get payload + header data = jwt.decode_complete( id_token, - key=signing_key.key, - algorithms=signing_algos, + key=signing_key, audience=client_id, ) payload, header = data["payload"], data["header"]
jwt/api_jwk.py+4 −2 modified@@ -52,9 +52,11 @@ def __init__(self, jwk_data: JWKDict, algorithm: str | None = None) -> None: if not has_crypto and algorithm in requires_cryptography: raise PyJWKError(f"{algorithm} requires 'cryptography' to be installed.") - self.Algorithm = self._algorithms.get(algorithm) + self.algorithm_name = algorithm - if not self.Algorithm: + if algorithm in self._algorithms: + self.Algorithm = self._algorithms[algorithm] + else: raise PyJWKError(f"Unable to find an algorithm for key: {self._jwk_data}") self.key = self.Algorithm.from_jwk(self._jwk_data)
jwt/api_jws.py+16 −9 modified@@ -11,6 +11,7 @@ has_crypto, requires_cryptography, ) +from .api_jwk import PyJWK from .exceptions import ( DecodeError, InvalidAlgorithmError, @@ -172,7 +173,7 @@ def encode( def decode_complete( self, jwt: str | bytes, - key: AllowedPublicKeys | str | bytes = "", + key: AllowedPublicKeys | PyJWK | str | bytes = "", algorithms: list[str] | None = None, options: dict[str, Any] | None = None, detached_payload: bytes | None = None, @@ -190,7 +191,7 @@ def decode_complete( merged_options = {**self.options, **options} verify_signature = merged_options["verify_signature"] - if verify_signature and not algorithms: + if verify_signature and not algorithms and not isinstance(key, PyJWK): raise DecodeError( 'It is required that you pass in a value for the "algorithms" argument when calling decode().' ) @@ -217,7 +218,7 @@ def decode_complete( def decode( self, jwt: str | bytes, - key: AllowedPublicKeys | str | bytes = "", + key: AllowedPublicKeys | PyJWK | str | bytes = "", algorithms: list[str] | None = None, options: dict[str, Any] | None = None, detached_payload: bytes | None = None, @@ -289,9 +290,11 @@ def _verify_signature( signing_input: bytes, header: dict[str, Any], signature: bytes, - key: AllowedPublicKeys | str | bytes = "", + key: AllowedPublicKeys | PyJWK | str | bytes = "", algorithms: list[str] | None = None, ) -> None: + if algorithms is None and isinstance(key, PyJWK): + algorithms = [key.algorithm_name] try: alg = header["alg"] except KeyError: @@ -300,11 +303,15 @@ def _verify_signature( if not alg or (algorithms is not None and alg not in algorithms): raise InvalidAlgorithmError("The specified alg value is not allowed") - try: - alg_obj = self.get_algorithm_by_name(alg) - except NotImplementedError as e: - raise InvalidAlgorithmError("Algorithm not supported") from e - prepared_key = alg_obj.prepare_key(key) + if isinstance(key, PyJWK): + alg_obj = key.Algorithm + prepared_key = key.key + else: + try: + alg_obj = self.get_algorithm_by_name(alg) + except NotImplementedError as e: + raise InvalidAlgorithmError("Algorithm not supported") from e + prepared_key = alg_obj.prepare_key(key) if not alg_obj.verify(signing_input, prepared_key, signature): raise InvalidSignatureError("Signature verification failed")
jwt/api_jwt.py+3 −2 modified@@ -21,6 +21,7 @@ if TYPE_CHECKING: from .algorithms import AllowedPrivateKeys, AllowedPublicKeys + from .api_jwk import PyJWK class PyJWT: @@ -100,7 +101,7 @@ def _encode_payload( def decode_complete( self, jwt: str | bytes, - key: AllowedPublicKeys | str | bytes = "", + key: AllowedPublicKeys | PyJWK | str | bytes = "", algorithms: list[str] | None = None, options: dict[str, Any] | None = None, # deprecated arg, remove in pyjwt3 @@ -185,7 +186,7 @@ def _decode_payload(self, decoded: dict[str, Any]) -> Any: def decode( self, jwt: str | bytes, - key: AllowedPublicKeys | str | bytes = "", + key: AllowedPublicKeys | PyJWK | str | bytes = "", algorithms: list[str] | None = None, options: dict[str, Any] | None = None, # deprecated arg, remove in pyjwt3
tests/test_api_jwk.py+9 −0 modified@@ -65,6 +65,7 @@ def test_should_load_key_without_alg_from_dict(self): assert jwk.key_type == "RSA" assert isinstance(jwk.Algorithm, RSAAlgorithm) assert jwk.Algorithm.hash_alg == RSAAlgorithm.SHA256 + assert jwk.algorithm_name == "RS256" @crypto_required def test_should_load_key_from_dict_with_algorithm(self): @@ -76,6 +77,7 @@ def test_should_load_key_from_dict_with_algorithm(self): assert jwk.key_type == "RSA" assert isinstance(jwk.Algorithm, RSAAlgorithm) assert jwk.Algorithm.hash_alg == RSAAlgorithm.SHA256 + assert jwk.algorithm_name == "RS256" @crypto_required def test_should_load_key_ec_p256_from_dict(self): @@ -87,6 +89,7 @@ def test_should_load_key_ec_p256_from_dict(self): assert jwk.key_type == "EC" assert isinstance(jwk.Algorithm, ECAlgorithm) assert jwk.Algorithm.hash_alg == ECAlgorithm.SHA256 + assert jwk.algorithm_name == "ES256" @crypto_required def test_should_load_key_ec_p384_from_dict(self): @@ -98,6 +101,7 @@ def test_should_load_key_ec_p384_from_dict(self): assert jwk.key_type == "EC" assert isinstance(jwk.Algorithm, ECAlgorithm) assert jwk.Algorithm.hash_alg == ECAlgorithm.SHA384 + assert jwk.algorithm_name == "ES384" @crypto_required def test_should_load_key_ec_p521_from_dict(self): @@ -109,6 +113,7 @@ def test_should_load_key_ec_p521_from_dict(self): assert jwk.key_type == "EC" assert isinstance(jwk.Algorithm, ECAlgorithm) assert jwk.Algorithm.hash_alg == ECAlgorithm.SHA512 + assert jwk.algorithm_name == "ES512" @crypto_required def test_should_load_key_ec_secp256k1_from_dict(self): @@ -120,6 +125,7 @@ def test_should_load_key_ec_secp256k1_from_dict(self): assert jwk.key_type == "EC" assert isinstance(jwk.Algorithm, ECAlgorithm) assert jwk.Algorithm.hash_alg == ECAlgorithm.SHA256 + assert jwk.algorithm_name == "ES256K" @crypto_required def test_should_load_key_hmac_from_dict(self): @@ -131,6 +137,7 @@ def test_should_load_key_hmac_from_dict(self): assert jwk.key_type == "oct" assert isinstance(jwk.Algorithm, HMACAlgorithm) assert jwk.Algorithm.hash_alg == HMACAlgorithm.SHA256 + assert jwk.algorithm_name == "HS256" @crypto_required def test_should_load_key_hmac_without_alg_from_dict(self): @@ -143,6 +150,7 @@ def test_should_load_key_hmac_without_alg_from_dict(self): assert jwk.key_type == "oct" assert isinstance(jwk.Algorithm, HMACAlgorithm) assert jwk.Algorithm.hash_alg == HMACAlgorithm.SHA256 + assert jwk.algorithm_name == "HS256" @crypto_required def test_should_load_key_okp_without_alg_from_dict(self): @@ -153,6 +161,7 @@ def test_should_load_key_okp_without_alg_from_dict(self): assert jwk.key_type == "OKP" assert isinstance(jwk.Algorithm, OKPAlgorithm) + assert jwk.algorithm_name == "EdDSA" @crypto_required def test_from_dict_should_throw_exception_if_arg_is_invalid(self):
tests/test_api_jws.py+54 −0 modified@@ -4,6 +4,7 @@ import pytest from jwt.algorithms import NoneAlgorithm, has_crypto +from jwt.api_jwk import PyJWK from jwt.api_jws import PyJWS from jwt.exceptions import ( DecodeError, @@ -250,6 +251,59 @@ def test_decodes_complete_valid_jws(self, jws, payload): ), } + def test_decodes_with_jwk(self, jws, payload): + jwk = PyJWK( + { + "kty": "oct", + "alg": "HS256", + "k": "c2VjcmV0", # "secret" + } + ) + example_jws = ( + b"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." + b"aGVsbG8gd29ybGQ." + b"gEW0pdU4kxPthjtehYdhxB9mMOGajt1xCKlGGXDJ8PM" + ) + + decoded_payload = jws.decode(example_jws, jwk, algorithms=["HS256"]) + + assert decoded_payload == payload + + def test_decodes_with_jwk_and_no_algorithm(self, jws, payload): + jwk = PyJWK( + { + "kty": "oct", + "alg": "HS256", + "k": "c2VjcmV0", # "secret" + } + ) + example_jws = ( + b"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." + b"aGVsbG8gd29ybGQ." + b"gEW0pdU4kxPthjtehYdhxB9mMOGajt1xCKlGGXDJ8PM" + ) + + decoded_payload = jws.decode(example_jws, jwk) + + assert decoded_payload == payload + + def test_decodes_with_jwk_and_mismatched_algorithm(self, jws, payload): + jwk = PyJWK( + { + "kty": "oct", + "alg": "HS512", + "k": "c2VjcmV0", # "secret" + } + ) + example_jws = ( + b"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." + b"aGVsbG8gd29ybGQ." + b"gEW0pdU4kxPthjtehYdhxB9mMOGajt1xCKlGGXDJ8PM" + ) + + with pytest.raises(InvalidAlgorithmError): + jws.decode(example_jws, jwk) + # 'Control' Elliptic Curve jws created by another library. # Used to test for regressions that could affect both # encoding / decoding operations equally (causing tests
Vulnerability mechanics
Root cause
"In `_verify_signature()`, when the key is a `PyJWK` object, the JWT header `alg` is checked against the allow-list as a string, but signature verification uses the algorithm bound to the `PyJWK` object rather than the algorithm derived from the header."
Attack vector
An attacker who controls a registered JWK/JWKS private key signs a JWT with a disallowed algorithm (e.g., RS256) but sets the JWT header `alg` to an allowed algorithm (e.g., PS256 or RS512). When `jwt.decode()` or `jwt.decode_complete()` is called with a `PyJWK` key and an `algorithms` allow-list, the header `alg` string passes the allow-list check, but signature verification uses the algorithm bound to the `PyJWK` object (the attacker's actual signing algorithm). The token is accepted despite violating the algorithm policy. This is reachable through the documented `PyJWKClient.get_signing_key_from_jwt(...)` flow [ref_id=1].
Affected code
The vulnerability is in `jwt/api_jws.py` in the `_verify_signature()` method. When the key is a `PyJWK` object, the method checks the JWT header `alg` against the caller-supplied `algorithms` allow-list as a string, but then uses `key.Algorithm` (the algorithm bound to the `PyJWK` at construction time) for actual signature verification instead of the algorithm derived from the header. The `PyJWK` class in `jwt/api_jwk.py` binds its algorithm from the JWK's `alg` field or key-type defaults at `__init__` time.
What the fix does
The patch in commit `ab8176abe21e550dbc1c9a6bb7e78ad80853bfb1` [patch_id=2955875] adds an `algorithm_name` property to `PyJWK` and modifies `_verify_signature()` so that when the key is a `PyJWK`, the algorithm used for verification is still selected from the header `alg` via `key.Algorithm`, but the `PyJWK`'s algorithm is used as the default `algorithms` list when none is provided. The critical change is that the patch also adds a test (`test_decodes_with_jwk_and_mismatched_algorithm`) that verifies a token signed with HS512 but claiming HS256 is rejected with `InvalidAlgorithmError`. The documentation in `docs/usage.rst` is updated to pass the `PyJWK` object directly rather than `signing_key.key`, and the `algorithms` parameter is now omitted in the documented flow, relying on the `PyJWK`'s bound algorithm.
Preconditions
- authAttacker must control a registered JWK/JWKS private key that the verifier accepts
- inputVerifier must call jwt.decode() or jwt.decode_complete() with a PyJWK key object
- configVerifier must supply an algorithms allow-list that includes an algorithm different from the attacker's signing algorithm
- networkNetwork access to deliver the crafted JWT to the verifier
Reproduction
Install PyJWT 2.12.1 and cryptography, then run the following script (adapted from [ref_id=1]):
```python import json import jwt from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat from jwt.api_jwk import PyJWK from jwt.algorithms import RSAAlgorithm from jwt.utils import base64url_encode
priv = rsa.generate_private_key(public_exponent=65537, key_size=2048) pub = priv.public_key()
jwk = PyJWK.from_json(RSAAlgorithm.to_jwk(pub))
header = {"typ": "JWT", "alg": "RS512"} payload = {"sub": "alice"}
header_b64 = base64url_encode(json.dumps(header, separators=(",", ":"), sort_keys=True).encode()) payload_b64 = base64url_encode(json.dumps(payload, separators=(",", ":")).encode()) signing_input = b".".join([header_b64, payload_b64])
sig = RSAAlgorithm(RSAAlgorithm.SHA256).sign(signing_input, priv) token = b".".join([header_b64, payload_b64, base64url_encode(sig)]).decode()
print("PyJWK path:", jwt.decode(token, jwk, algorithms=["RS512"])) ```
The token is accepted despite being signed with RS256 while claiming RS512 in the header.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.