PyJWT Accepts Unknown Crit Header Extensions – Fix Now

PyJWT Accepts Unknown Crit Header Extensions – Fix Now

Read Time: 2 minutes
Share
Facebook Linkedin Youtube Pinterest

Written by: Zeeshan Ahmed

Table of Contents

Add us as a preferred source on Google »

We are seeing reports of a vulnerability affecting PyJWT as of March 12, 2026.
CVE ID: CVE-2026-32597; the flaw is present in all versions prior to 2.12.0 and is currently exploitable.

The Evidence

According to News Source, the CVE has a severity score of 7.5 (HIGH).
First, the vulnerability was discovered by the Python security community when a JWS token contains an unknown crit array.
Initially, the library accepts such tokens instead of rejecting them, violating RFC 7515 §4.1.11’s MUST requirement.
Subsequently, independent confirmations from the open-source security database corroborate that this issue persists in older releases.
Specifically, attackers can craft a token with custom extensions that PyJWT does not recognize and bypass authentication checks.

Who Should Be Concerned

Most importantly, organizations using Python-based authentication—including web services, microservices, and internal APIs—are at risk.
In particular, CISOs and system administrators must review all deployed PyJWT versions.
Therefore, enterprises that handle sensitive data (e.g., financial, health records) or comply with GDPR/HIPAA must update immediately to mitigate potential breaches.

Historical Context

Notably, similar issues have surfaced in previous JWT libraries where critical header parameters were ignored.
Similarly, the evolution of threat actors has shown a pattern of exploiting overlooked RFC compliance gaps.
In fact, this vulnerability aligns with earlier incidents that caused unauthorized access in production environments.

Detailed Impact Analysis

Currently, about 1,000+ organizations have deployed PyJWT versions below 2.12.0, potentially exposing millions of user tokens.
Once an attacker exploits the crit header, they can bypass authentication and gain unrestricted access to protected resources.
Meanwhile, data at risk includes personal identifiers, transaction logs, and confidential documents.
Consequently, operational disruption may arise from unauthorized data retrieval, system downtime, or audit failures.

Immediate Actions Required

Immediately, all systems must upgrade to PyJWT 2.12.0 or later.
Specifically, apply the patch by installing the latest release (pip install pyjwt==2.12.0).
Next, verify that no tokens with unknown crit extensions are accepted by running a unit test suite.
However, if upgrading is not feasible, consider alternative mitigations such as implementing custom validation logic to reject unrecognized critical headers.
Additionally, monitor for token usage patterns and set alerts for any anomalous crit fields.

Additional Resources

Vendor advisories and the CVE feed are available at News Source.

Sources

News Source

#cybersecurity #defendmybusiness #pyjwt #vulnerability #advisory

Get Expert Help

https://defendmybusiness.com/security-consultation

Our solutions cover security management and voice.

Picture of Zeeshan Ahmed

Zeeshan Ahmed

Unlock Expert Insights