CVE-2026-32597 Overview
PyJWT is a widely-used JSON Web Token (JWT) implementation in Python. Prior to version 2.12.0, PyJWT fails to properly validate the crit (Critical) Header Parameter as defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library incorrectly accepts the token instead of rejecting it. This behavior violates the MUST requirement specified in the RFC, potentially allowing attackers to bypass security controls by crafting tokens with critical extensions that should be enforced but are silently ignored.
Critical Impact
Attackers can craft malicious JWT tokens containing unknown critical extensions that PyJWT will accept, potentially bypassing authentication and authorization controls in applications relying on proper JWT validation.
Affected Products
- PyJWT versions prior to 2.12.0
- Applications using PyJWT for JWT validation without additional crit header checks
- Python web applications and APIs relying on PyJWT for token-based authentication
Discovery Timeline
- 2026-03-13 - CVE-2026-32597 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32597
Vulnerability Analysis
This vulnerability represents a Cryptographic Vulnerability and Input Validation Error in PyJWT's handling of the RFC 7515 Critical Header Parameter. According to the RFC specification, when a JWT contains a crit header parameter listing extensions that the implementation does not understand or support, the token MUST be rejected as invalid. PyJWT's failure to enforce this requirement creates a security gap where tokens with unrecognized critical extensions are processed as valid.
The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity), as PyJWT fails to properly verify that all critical extensions specified in the token are understood and enforced by the library. This can lead to authentication bypass scenarios where attackers include critical extensions in their tokens that should trigger specific security behaviors, but are instead silently ignored.
Root Cause
The root cause lies in PyJWT's token validation logic, which does not implement the RFC 7515 §4.1.11 requirement to reject tokens containing unrecognized values in the crit header array. The library processes the token without checking whether it understands and can properly enforce all extensions listed as critical, violating the specification's mandatory rejection requirement.
Attack Vector
An attacker can exploit this vulnerability by crafting a JWT token that includes a crit header parameter containing extensions that PyJWT does not recognize. Since the library fails to reject such tokens, an attacker could potentially bypass security mechanisms that rely on proper crit header validation.
The attack is network-based and requires no privileges or user interaction. An attacker with knowledge of this vulnerability could craft malicious tokens and submit them to applications using vulnerable PyJWT versions. If the application relies on PyJWT's validation as its sole defense, the malicious token may be accepted despite containing critical extensions that should have caused rejection.
For technical details on the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32597
Indicators of Compromise
- JWT tokens containing crit header parameters with unusual or unexpected extension names
- Authentication logs showing tokens with unrecognized critical headers being accepted
- Anomalous API access patterns using tokens with non-standard JWT structures
Detection Strategies
- Monitor application logs for JWT tokens containing crit header parameters that list unknown extensions
- Implement additional validation layers that explicitly check for and reject tokens with unrecognized critical extensions
- Use security scanning tools to identify PyJWT versions in your dependency tree that are below 2.12.0
- Conduct code reviews to identify applications relying solely on PyJWT for JWT validation without additional checks
Monitoring Recommendations
- Enable verbose logging for JWT validation failures and successes to track token structure anomalies
- Deploy application-level monitoring to alert on tokens with unusual header structures
- Implement dependency scanning in CI/CD pipelines to detect vulnerable PyJWT versions
- Monitor for authentication anomalies that may indicate token manipulation attempts
How to Mitigate CVE-2026-32597
Immediate Actions Required
- Upgrade PyJWT to version 2.12.0 or later immediately
- Audit applications using PyJWT to identify all affected deployments
- Implement additional validation logic to reject tokens with unrecognized crit header values as a defense-in-depth measure
- Review authentication logs for any suspicious token activity that may indicate exploitation attempts
Patch Information
The vulnerability is fixed in PyJWT version 2.12.0. Organizations should update their Python dependencies to include this patched version. The fix ensures that tokens containing crit header parameters with unrecognized extensions are properly rejected in accordance with RFC 7515 requirements.
For complete patch details and upgrade instructions, refer to the PyJWT Security Advisory.
Workarounds
- Implement a pre-validation wrapper that inspects incoming tokens for crit headers and rejects tokens containing any critical extensions not explicitly whitelisted
- Add application-level validation that parses the JWT header before passing to PyJWT and rejects tokens with unknown critical extensions
- Consider using alternative JWT libraries that properly implement RFC 7515 §4.1.11 requirements until PyJWT can be upgraded
# Upgrade PyJWT to patched version
pip install --upgrade pyjwt>=2.12.0
# Verify installed version
pip show pyjwt | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
