CVE-2026-32597: PyJWT accepts unknown `crit` header extensions

March 13, 2026 (updated March 16, 2026)

PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

This is the same class of vulnerability as CVE-2025-59420 (Authlib), which received CVSS 7.5 (HIGH).

References

github.com/advisories/GHSA-752w-5fwx-jx9f
github.com/jpadilla/pyjwt
github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
nvd.nist.gov/vuln/detail/CVE-2026-32597

Code Behaviors & Features

Detect and mitigate CVE-2026-32597 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →