CVE-2026-48524: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

June 15, 2026

PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.

Additionally, fetch_data() finally block clears the JWKS cache on network error.

References

github.com/advisories/GHSA-fhv5-28vv-h8m8
github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8
github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-177.yaml
nvd.nist.gov/vuln/detail/CVE-2026-48524

Code Behaviors & Features

Detect and mitigate CVE-2026-48524 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →