CVE-2026-48526 PUBLISHED

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed

Assigner: GitHub_M
Reserved: 21.05.2026 Published: 28.05.2026 Updated: 29.05.2026

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	jpadilla
Product	pyjwt
Versions	Version < 2.13.0 is affected

References

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx

Problem Types

CWE-287: Improper Authentication CWE
CWE-347: Improper Verification of Cryptographic Signature CWE