DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32597: CVE-2026-32597: Critical Header Parameter Validation Bypass in PyJWT

#security #cve #cybersecurity

CVE-2026-32597: Critical Header Parameter Validation Bypass in PyJWT

Vulnerability ID: CVE-2026-32597
CVSS Score: 7.5
Published: 2026-03-12

PyJWT versions prior to 2.12.0 fail to validate the crit (Critical) Header Parameter as mandated by RFC 7515. This allows attackers to bypass security policies enforced via custom JWT extensions by supplying tokens with unsupported critical parameters, which the library silently ignores instead of rejecting.

TL;DR

PyJWT < 2.12.0 ignores the mandatory 'crit' header in JSON Web Tokens. This fail-open behavior violates RFC 7515 and allows attackers to bypass security extensions like MFA enforcement. Update to 2.12.0 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-345, CWE-863
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • EPSS Score: 0.00009 (0.91%)
  • Impact: Integrity Loss (Authorization Bypass)
  • Exploit Status: Proof of Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • PyJWT versions prior to 2.12.0
  • Python backend services relying on custom JWS critical extensions for authorization
  • API gateways utilizing PyJWT for token validation
  • pyjwt: < 2.12.0 (Fixed in: 2.12.0)

Code Analysis

Commit: bd9700c

Implementation of the _validate_crit method to enforce RFC 7515 Section 4.1.11.

Exploit Details

  • Security Advisory: Proof of Concept demonstrating the acceptance of unsupported 'crit' headers.

Mitigation Strategies

  • Upgrade PyJWT to version 2.12.0 or later.
  • Implement independent validation of JWS headers using jwt.get_unverified_header() prior to full decoding.
  • Audit custom token extensions across the application architecture to ensure backend services explicitly support and process mandatory flags.

Remediation Steps:

  1. Identify all projects utilizing the pyjwt library.
  2. Update the version constraint in your package manager (e.g., pip install --upgrade pyjwt>=2.12.0).
  3. Run the application test suite to verify that token processing behaves as expected, particularly if the application legitimately uses the b64 critical extension.
  4. Deploy the updated application to staging and production environments.

References

Read the full report for CVE-2026-32597 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)