EXECUTIVE SUMMARY:
CVE-2026-48526 with a CVSS score of 7.4 is a authentication‑logic flaw in the PyJWT Python library (pip/pyjwt) affecting all releases prior to 2.13.0. The vulnerability arises because the verifier’s decode function does not enforce proper separation between symmetric HMAC algorithms and asymmetric key formats when a raw JSON Web Key (JWK) is supplied as the key argument; consequently, an attacker can present a malicious JWT whose header selects HS256, and the library will mistakenly treat the issuer’s public RSA JWK as the HMAC secret, allowing the attacker to generate a valid signature without possessing any private material. Exploitation is performed remotely over the network with no privileged access or user interaction required, provided the vulnerable application configures the decoder to accept both HS* and RSA/EC algorithms in the same call and passes the public JWK directly. Successful exploitation grants the attacker the ability to forge tokens that impersonate any user or role, leading to unauthorized access, privilege escalation, and complete bypass of authentication and authorization controls. The attack succeeds only when the mixed‑algorithm configuration and raw JWK key usage are present, highlighting a mis‑configuration that can be exploited in otherwise secure deployments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48526 with a CVSS score of 7.4 is a authentication‑logic flaw in the PyJWT Python library (pip/pyjwt) affecting all releases prior to 2.13.0. The vulnerability arises because the verifier’s decode function does not enforce proper separation between symmetric HMAC algorithms and asymmetric key formats when a raw JSON Web Key (JWK) is supplied as the key argument; consequently, an attacker can present a malicious JWT whose header selects HS256, and the library will mistakenly treat the issuer’s public RSA JWK as the HMAC secret, allowing the attacker to generate a valid signature without possessing any private material. Exploitation is performed remotely over the network with no privileged access or user interaction required, provided the vulnerable application configures the decoder to accept both HS* and RSA/EC algorithms in the same call and passes the public JWK directly. Successful exploitation grants the attacker the ability to forge tokens that impersonate any user or role, leading to unauthorized access, privilege escalation, and complete bypass of authentication and authorization controls. The attack succeeds only when the mixed‑algorithm configuration and raw JWK key usage are present, highlighting a mis‑configuration that can be exploited in otherwise secure deployments.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xgmm-8j9v-c9wx