pyjwt
python · pyjwtHeads-up
pyjwt: Unbounded JWKS fetch on unknown kid and cache wipe on network error
PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no ra
16 Jun 2026 · schedule it
python · pyjwtHeads-up
PyJWT algorithm allow-list bypass with PyJWK keys
PyJWT 2.9.0 through 2.12.1 allows a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are calle
16 Jun 2026 · schedule it
python · pyjwtHeads-up
PyJWT 2.4.0–2.12.1 Unauthenticated DoS via Detached JWS (b64=false)
PyJWT versions 2.4.0 through 2.12.1 have an unauthenticated denial-of-service vulnerability when verifying detached JWS tokens wit
16 Jun 2026 · schedule it
python · pyjwtCritical
pyjwt: Algorithm Confusion via JSON Web Key Allows JWT Forgery
A vulnerability in pyjwt allows an attacker to forge JWTs when the verifier is configured with both symmetric and asymmetric algor
16 Jun 2026 · act now