CVE-2026-32597

HIGHPre-NVD 7.57.5
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.0%, top 97% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, nvd
Elevated
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

A fix is available — apply it.

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

CVSS v3
7.5
EG Score
7.5(medium)
EPSS
18.5%
KEV
Not listed

Published

March 13, 2026

Last Modified

July 10, 2026

Advisory Details (2)

Auto-updated May 6, 2026
🔬 Proof of concept available. Patch available. Sources: github.
github Patch Available🟡 PoC Available

PyJWT accepts unknown `crit` header extensions · Advisory · jpadilla/pyjwt · GitHub

https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
generic Patch Available

[SECURITY] [DLA 4564-1] pyjwt security update

https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html

Patch Availability(27)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntupython3-jwt (1.3.0-1ubuntu0.1+esm1) @ xenial2026-06-12ubuntu
redhatrhoai/odh-vllm-gaudi-rhel9:17800690692026-06-10redhat
redhatfence-agents-0:4.10.0-43.el9_2.212026-06-01redhat
redhatfence-agents-0:4.10.0-62.el9_4.242026-05-28redhat
redhatfence-agents-0:4.10.0-86.el9_6.162026-05-27redhat
redhatrhoai/odh-vllm-gaudi-rhel9:17786001872026-05-20redhat
redhatfence-agents-0:4.10.0-110.el9_8.22026-05-19redhat
redhatquay/quay-rhel9:17792040862026-05-19redhat
redhatfence-agents-0:4.16.0-21.el10_2.12026-05-19redhat
redhatfence-agents-0:4.16.0-5.el10_0.92026-05-13redhat
redhatfence-agents-0:4.16.0-13.el10_1.42026-05-06redhat
redhatfence-agents-0:4.10.0-98.el9_7.122026-05-05redhat
redhatansible-automation-platform-25/lightspeed-rhel8:17774038722026-05-04redhat
redhatansible-automation-platform-26/mcp-tools-rhel9:17773116012026-05-04redhat
redhatpython3.12-pyjwt-0:2.12.1-1.el9ap2026-05-04redhat
redhatfence-agents-0:4.2.1-129.el8_10.252026-04-30redhat
redhatrhelai3/disk-image-cuda-rhel9:17769388712026-04-23redhat
redhatrhelai3/bootc-rocm-rhel9:17767735052026-04-23redhat
redhatrhoai/odh-kserve-storage-initializer-rhel9:17763431112026-04-23redhat
redhatrhaiis/vllm-rocm-rhel9:17756802622026-04-17redhat
redhatrhaiis/vllm-cuda-rhel9:17756801922026-04-17redhat
redhatrhaiis/model-opt-cuda-rhel9:17757498572026-04-17redhat
redhatrhtas/model-transparency-rhel9:17758154072026-04-16redhat
redhatquay/quay-rhel8:17751691552026-04-07redhat
redhatquay/quay-rhel8:17751692182026-04-07redhat
redhatquay/quay-rhel8:17752530922026-04-06redhat
redhatquay/quay-rhel8:17751692192026-04-03redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
pyjwt0.1.1 ... 2.9.0 (52 versions)2.12.0

Weakness Classification(3)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(7)

Frequently asked(5)

What is CVE-2026-32597?
CVE-2026-32597 is a high vulnerability published on March 13, 2026. PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting…
When was CVE-2026-32597 disclosed?
CVE-2026-32597 was first published in the National Vulnerability Database on March 13, 2026, with the most recent update on July 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-32597 actively exploited?
CVE-2026-32597 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 18.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-32597?
CVE-2026-32597 has a CVSS v3 base score of 7.5 (NVD).
How do I remediate CVE-2026-32597?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-32597, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-32597

Explore →

Is Your Infrastructure Affected by CVE-2026-32597?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.