CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT
Vulnerability ID: CVE-2026-48526
CVSS Score: 7.4
Published: 2026-05-28
CVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.
TL;DR
An algorithm-confusion vulnerability in PyJWT allows remote attackers to bypass authentication by signing forged tokens with a public JWK string treated as a symmetric HMAC secret.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-287
- Attack Vector: Network
- CVSS: 7.4
- EPSS Score: 0.00017
- Impact: High
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- pyjwt (Python JSON Web Token Library)
-
pyjwt: < 2.13.0 (Fixed in:
2.13.0)
Code Analysis
Commit: 95791b1
Fix algorithm confusion with raw JWKs in HMACAlgorithm
Mitigation Strategies
- Upgrade pyjwt to version 2.13.0 or later.
- Do not allow mixed algorithm families in jwt.decode calls.
- Parse public keys explicitly using PyJWK rather than passing raw JSON strings.
Remediation Steps:
- Run
pip install --upgrade pyjwtto update to 2.13.0+. - Review jwt.decode usage to ensure the algorithms list is restricted strictly to either symmetric (e.g. HS256) or asymmetric (e.g. RS256) families.
- Modify raw key-loading paths to parse JWK dictionaries using
jwt.PyJWKbefore verification.
References
Read the full report for CVE-2026-48526 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)