Cyber Resilience

CVE-2026-32597

HighPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 2.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32597 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Pyjwt Project Pyjwt. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-32597 affects PyJWT, a Python implementation of JSON Web Tokens (JWTs), in versions prior to 2.12.0. The vulnerability stems from the library's failure to properly validate the "crit" (Critical) Header Parameter as defined in RFC 7515 §4.1.11. Specifically, when a JSON Web Signature (JWS) token includes a "crit" array listing extensions that PyJWT does not recognize, the library accepts the token rather than rejecting it, violating the RFC's MUST requirement. This issue is tracked under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A remote, unauthenticated attacker can exploit this vulnerability by crafting a malicious JWS token that includes unrecognized "crit" header extensions. Any application relying on vulnerable PyJWT for token validation could then accept these invalid tokens, potentially enabling integrity violations such as bypassing authentication or authorization checks if the token is used in a security-critical context.

The PyJWT GitHub security advisory (GHSA-752w-5fwx-jx9f) confirms the issue and states that it is fixed in version 2.12.0, recommending that users upgrade to this or later versions to mitigate the vulnerability. No workarounds are detailed in the provided references.

EU & UK References

Vulnerability details

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not…

more

understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Vulnerability enables remote crafting of invalid JWS tokens that bypass authenticity checks (CWE-345/863), directly facilitating T1190 (exploitation of public-facing apps for auth bypass) and T1606 (forging web credentials/JWTs that should be rejected per RFC).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-48526Same product: Pyjwt Project Pyjwt
CVE-2026-35042Shared CWE-345
CVE-2025-30743Shared CWE-863
CVE-2026-2428Shared CWE-345
CVE-2026-34645Shared CWE-863
CVE-2026-1007Shared CWE-863
CVE-2026-26308Shared CWE-863
CVE-2024-53553Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-32924Shared CWE-863

Affected Assets

pyjwt project
pyjwt
≤ 2.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic verification of information (JWS token) authenticity and integrity before acceptance, directly blocking tokens with unrecognized crit headers.

prevent

Enforces access decisions only on valid tokens; accepting non-compliant JWS tokens allows unauthorized access or authorization bypass.

prevent

Protects session authenticity by requiring proper validation of session tokens (JWT/JWS) against protocol requirements such as RFC 7515.

References