CVE-2026-48524— PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1498.002 · Reflection AmplificationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48524
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
Source: NVD (National Vulnerability Database)
Vulnerability Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
抛出异常的清理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyjwt 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyjwt是美国José Padilla个人开发者的一个 Python 库。允许对 JSON Web 令牌(JWT)进行编码和解码。 pyjwt 2.13.0之前版本存在安全漏洞,该漏洞源于PyJWKClient.get_signing_key()对每个具有未知kid值的JWT强制向JWKS端点发起新的HTTP请求,且无速率限制,导致攻击者可以触发无限制的出站请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48524
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48524
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48524 (1)
Same Patch Batch · jpadilla · 2026-05-28 · 5 CVEs total
| CVE-2026-48526 | 7.4 HIGH | PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed famil |
| CVE-2026-48523 | 5.4 MEDIUM | PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys |
| CVE-2026-48525 | 5.3 MEDIUM | PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b |
| CVE-2026-48522 | 4.2 MEDIUM | PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, da |
IV. Related Vulnerabilities
Same product: pyjwt
- CVE-2026-48525
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding - CVE-2026-48523
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK - CVE-2026-48526
PyJWT: Public-key JWK accepted as HMAC secret enables forged - CVE-2026-48522
PyJWKClient: missing scheme allowlist enables SSRF + token f - CVE-2026-32597
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.
Same vendor: jpadilla
- CVE-2026-48525
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding - CVE-2026-48523
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK - CVE-2026-48526
PyJWT: Public-key JWK accepted as HMAC secret enables forged - CVE-2026-48522
PyJWKClient: missing scheme allowlist enables SSRF + token f - CVE-2026-32597
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.
Same weakness: CWE-460
V. Comments for CVE-2026-48524
No comments yet