python · pyjwtHeads-up

pyjwt: Unbounded JWKS fetch on unknown kid and cache wipe on network error

PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Additionally, fet

16 Jun 2026Read 1 minSeverity: schedule it

What changed

PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Additionally, fetch_data() finally block clears the JWKS cache on network error.

Who it affects

All versions with PyJWKClient (2.4.0 through 2.12.1)

What to do today

Apply the suggested fix: add refresh cooldown and move cache write from finally to else block.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · pyjwt

pyjwt: Unbounded JWKS fetch on unknown kid and cache wipe on network error

What changed

Who it affects

What to do today

More on pyjwt

PyJWT algorithm allow-list bypass with PyJWK keys

PyJWT 2.4.0–2.12.1 Unauthenticated DoS via Detached JWS (b64=false)