CVE-2026-48526: PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed

June 15, 2026

When the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm.

References

github.com/advisories/GHSA-xgmm-8j9v-c9wx
github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx
github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-179.yaml
nvd.nist.gov/vuln/detail/CVE-2026-48526

Code Behaviors & Features

Detect and mitigate CVE-2026-48526 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →