CVE-2026-48523
Description
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyjwtPyPI | >= 2.9.0, < 2.13.0 | 2.13.0 |
Affected products
56- osv-coords53 versionspkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/awxpkg:apk/chainguard/datadog-agent-7.76-core-integrationspkg:apk/chainguard/datadog-agent-7.77-core-integrationspkg:apk/chainguard/datadog-agent-7.78-core-integrationspkg:apk/chainguard/datadog-agent-7.79-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.76-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.77-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.78-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.79-core-integrationspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/litellmpkg:apk/chainguard/metaflow-service-fipspkg:apk/chainguard/netboxpkg:apk/chainguard/netbox-fipspkg:apk/chainguard/openstack-glance-2025.1pkg:apk/chainguard/openstack-glance-2025.1-fipspkg:apk/chainguard/openstack-glance-2025.2pkg:apk/chainguard/openstack-glance-2025.2-fipspkg:apk/chainguard/openstack-glance-2026.1pkg:apk/chainguard/openstack-glance-2026.1-fipspkg:apk/chainguard/openstack-horizon-2025.1pkg:apk/chainguard/openstack-horizon-2025.1-fipspkg:apk/chainguard/openstack-horizon-2025.2-fipspkg:apk/chainguard/openstack-horizon-2026.1-fipspkg:apk/chainguard/openstack-keystone-2025.1pkg:apk/chainguard/openstack-keystone-2025.1-fipspkg:apk/chainguard/openstack-keystone-2025.2pkg:apk/chainguard/openstack-keystone-2025.2-fipspkg:apk/chainguard/openstack-keystone-2026.1pkg:apk/chainguard/openstack-keystone-2026.1-fipspkg:apk/chainguard/openstack-placement-2025.1pkg:apk/chainguard/openstack-placement-2025.1-fipspkg:apk/chainguard/openstack-placement-2025.2pkg:apk/chainguard/openstack-placement-2025.2-fipspkg:apk/chainguard/openstack-placement-2026.1pkg:apk/chainguard/openstack-placement-2026.1-fipspkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.1pkg:apk/chainguard/superset-fips-6.1pkg:apk/chainguard/wazuh-manager-framework-fipspkg:apk/wolfi/datadog-agent-7.76-core-integrationspkg:apk/wolfi/datadog-agent-7.77-core-integrationspkg:apk/wolfi/datadog-agent-7.78-core-integrationspkg:apk/wolfi/datadog-agent-7.79-core-integrationspkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.1pkg:rpm/opensuse/python-PyJWT&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-PyJWT&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-PyJWT&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python-PyJWT&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/python-PyJWT&distro=SUSE%20Linux%20Micro%206.2
< 3.2.2-r5+ 52 more
- (no CPE)range: < 3.2.2-r5
- (no CPE)range: < 24.6.1-r41
- (no CPE)range: < 7.76.3-r26
- (no CPE)range: < 7.77.3-r16
- (no CPE)range: < 7.78.4-r10
- (no CPE)range: < 7.79.2-r6
- (no CPE)range: < 7.76.3-r24
- (no CPE)range: < 7.77.3-r17
- (no CPE)range: < 7.78.4-r8
- (no CPE)range: < 7.79.2-r2
- (no CPE)range: < 0.19.0-r2
- (no CPE)range: < 1.89.0-r4
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 4.6.3-r2
- (no CPE)range: < 4.6.3-r2
- (no CPE)range: < 30.2.0_git20260616-r1
- (no CPE)range: < 30.2.0_git20260511-r5
- (no CPE)range: < 31.1.0_git20260617-r1
- (no CPE)range: < 31.1.0_git20260617-r0
- (no CPE)range: < 32.0.0_git20260617-r1
- (no CPE)range: < 32.0.0_git20260617-r1
- (no CPE)range: < 25.3.2_git20260617-r1
- (no CPE)range: < 25.3.2_git20260617-r0
- (no CPE)range: < 25.5.2_git20260617-r1
- (no CPE)range: < 25.7.3_git20260611-r3
- (no CPE)range: < 27.0.1_git20260618-r4
- (no CPE)range: < 27.0.1_git20260618-r2
- (no CPE)range: < 28.0.1_git20260618-r3
- (no CPE)range: < 28.0.1_git20260616-r1
- (no CPE)range: < 29.0.1_git20260616-r4
- (no CPE)range: < 29.0.1_git20260603-r6
- (no CPE)range: < 13.0.0_git20260617-r2
- (no CPE)range: < 13.0.0_git20260617-r1
- (no CPE)range: < 14.0.0_git20260617-r2
- (no CPE)range: < 14.0.0_git20260309-r1
- (no CPE)range: < 15.0.0_git20260617-r2
- (no CPE)range: < 15.0.0_git20260311-r1
- (no CPE)range: < 5.0.0-r26
- (no CPE)range: < 6.1.0-r2
- (no CPE)range: < 6.1.0-r1
- (no CPE)range: < 4.14.5-r5
- (no CPE)range: < 7.76.3-r26
- (no CPE)range: < 7.77.3-r16
- (no CPE)range: < 7.78.4-r10
- (no CPE)range: < 7.79.2-r6
- (no CPE)range: < 0.19.0-r2
- (no CPE)range: < 5.0.0-r26
- (no CPE)range: < 6.1.0-r2
- (no CPE)range: < 2.13.0-1.1
- (no CPE)range: < 2.12.1-160000.2.1
- (no CPE)range: < 2.12.1-160000.2.1
- (no CPE)range: < 2.12.1-slfo.1.1_2.1
- (no CPE)range: < 2.12.1-160000.2.1
Patches
Vulnerability mechanics
References
4- github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3fnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-jq35-7prp-9v3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-48523ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-176.yamlghsaWEB
News mentions
0No linked articles in our index yet.