Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-32597

Опубликовано: 12 мар. 2026
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Lightspeedopenshift-lightspeed/lightspeed-ocp-rag-rhel9Affected
OpenShift Lightspeedopenshift-lightspeed/lightspeed-service-api-rhel9Affected
OpenShift Lightspeedopenshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9Affected
Red Hat AI Inference Serverrhaiis-preview/vllm-cuda-rhel9Affected
Red Hat AI Inference Serverrhaiis/vllm-cpu-rhel9Affected
Red Hat AI Inference Serverrhaiis/vllm-cuda-rhel9Affected
Red Hat AI Inference Serverrhaiis/vllm-rocm-rhel9Affected
Red Hat AI Inference Serverrhaiis/vllm-tpu-rhel9Affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-24/ee-supported-rhel8Affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-24/ee-supported-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-347
https://bugzilla.redhat.com/show_bug.cgi?id=2447194pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

EPSS

Процентиль: 5%
0.00019
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-32597

CVSS3: 7.5
ubuntu
13 дней назад

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

nvd логотип

CVE-2026-32597

CVSS3: 7.5
nvd
13 дней назад

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

debian логотип

CVE-2026-32597

CVSS3: 7.5
debian
13 дней назад

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, P ...

github логотип

GHSA-752w-5fwx-jx9f

CVSS3: 7.5
github
13 дней назад

PyJWT accepts unknown `crit` header extensions

EPSS

Процентиль: 5%
0.00019
Низкий

7.5 High

CVSS3