DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT

#security #cve #cybersecurity

CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT

Vulnerability ID: CVE-2026-48524
CVSS Score: 3.7
Published: 2026-06-15

A logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.

TL;DR

Unauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.

Technical Details

  • CWE ID: CWE-460
  • Attack Vector: Network
  • CVSS v3.1: 3.7
  • EPSS Score: 0.00205
  • Impact: Denial of Service (DoS)
  • Exploit Status: none
  • KEV Status: Not Listed

Affected Systems

  • Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.
  • pyjwt: < 2.13.0 (Fixed in: 2.13.0)

Code Analysis

Commit: 95791b1

Clear cache on fetch exception instead of saving None in finally block

@@ -102,7 +113,6 @@ def fetch_data(self) -> Any:
-        jwk_set: Any = None
         try:
             r = urllib.request.Request(url=self.uri, headers=self.headers)
@@ -115,11 +125,14 @@ def fetch_data(self) -> Any:
-        else:
-            return jwk_set
-        finally:
-            if self.jwk_set_cache is not None:
-                self.jwk_set_cache.put(jwk_set)
+        if self.jwk_set_cache is not None:
+            self.jwk_set_cache.put(jwk_set)
+        return jwk_set
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade PyJWT to version 2.13.0 or higher
  • Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers
  • Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions
  • Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints

Remediation Steps:

  1. Identify all deployment environments running Python-based JWT authentication layers.
  2. Check the installed PyJWT version using 'pip show pyjwt'.
  3. Upgrade the package to a safe version: 'pip install --upgrade "pyjwt>=2.13.0"'.
  4. Restart the application server instances to reload the newly patched dependency into memory.
  5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.

References

Read the full report for CVE-2026-48524 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)