CVE-2026-32597
PyJWT accepts unknown `crit` header extensions
7.5
HIGH
CVSS 3.1
EPSS 0.01%
Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
How to fix CVE-2026-32597
To remediate CVE-2026-32597, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.1-2+deb11u1 or later
- —upgrade to 2.12.0 or later
- —upgrade to 2.12.0 or later
Is CVE-2026-32597 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.7.1-2+deb11u1
- from 0, < 2.12.0
- from 0, < 2.12.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |