Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-48526— PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed

CVSS 7.4 · High EPSS 0.02% · P4

Possible ATT&CK Techniques 1AI

T1556 · Modify Authentication Process

Affected Version Matrix 1

VendorProductVersion RangeStatus
jpadillapyjwt< 2.13.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48526

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed
Source: NVD (National Vulnerability Database)
Vulnerability Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyjwt 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyjwt是美国José Padilla个人开发者的一个 Python 库。允许对 JSON Web 令牌(JWT)进行编码和解码。 pyjwt 2.13.0之前版本存在数据伪造问题漏洞,该漏洞源于验证器在解码JSON Web令牌时,同时支持非对称和HMAC算法,但未验证JSON Web密钥在HMAC算法中的使用,导致攻击者可以使用发行者公钥作为HMAC算法的密钥。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
jpadillapyjwt < 2.13.0 -

II. Public POCs for CVE-2026-48526

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 11211 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-48526

登录查看更多情报信息。

Vendor Advisories for CVE-2026-48526 (1)

Same Patch Batch · jpadilla · 2026-05-28 · 5 CVEs total

CVE-2026-485235.4 MEDIUMPyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
CVE-2026-485255.3 MEDIUMPyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b
CVE-2026-485224.2 MEDIUMPyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, da
CVE-2026-485243.7 LOWPyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (Do

IV. Related Vulnerabilities

Same product: pyjwt
Same vendor: jpadilla
Same weakness: CWE-287

V. Comments for CVE-2026-48526

No comments yet

Leave a comment