Voozh

Name	CVE-2026-32597
Description	PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4564-1, DSA-6259-1
Debian Bugs	1130662

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pyjwt (PTS)	bullseye	1.7.1-2	vulnerable
bullseye (security)	1.7.1-2+deb11u1	fixed
bookworm, bookworm (security)	2.6.0-1+deb12u1	fixed
trixie (security), trixie	2.10.1-2+deb13u1	fixed
forky, sid	2.12.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
pyjwt	source	bullseye	1.7.1-2+deb11u1	DLA-4564-1
pyjwt	source	bookworm	2.6.0-1+deb12u1	DSA-6259-1
pyjwt	source	trixie	2.10.1-2+deb13u1	DSA-6259-1
pyjwt	source	(unstable)	2.12.1-1	1130662

Notes

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
Fixed by: https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 (2.12.0)

URL: https://security-tracker.debian.org/tracker/CVE-2026-32597

⇱ CVE-2026-32597

Vulnerable and fixed packages

Notes