Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
Published: 2026-05-28
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PyJWT’s library can cause the client to fetch the JSON Web Key Set from a given endpoint every time it encounters a JWT with an unknown key identifier, even if the token has not yet been verified. Because there is no built‑in limit on how many such fetches may occur during an operation, an attacker who supplies tokens with arbitrary or repeated key identifiers can make the server perform an unlimited number of outbound HTTP calls. When a fetch fails, the library repeats the request, leading to a potential denial‑of‑service condition that consumes network bandwidth and processing resources. The vulnerability is classified as a form of resource exhaustion.

Affected Systems

Affected products are the PyJWT library for Python, specifically all releases before version 2.13.0. The library is distributed under the name jpadilla:pyjwt. No specific sub‑versions are listed, so any installation of PyJWT older than 2.13.0 should be considered vulnerable.

Risk and Exploitability

The CVSS score of 3.7 indicates low overall severity; however, exploitation requires only control over the token header, which is often feasible for an attacker who can influence authentication requests. The exploit depends on the behaviour of the JWKS endpoint—if it imposes its own rate limits or rejects requests, the attack’s impact may be reduced. Because the code does not gain privileged execution or access to confidential data, the main risk is availability. The vulnerability is not listed in the CISA KEV catalog and the EPSS score of < 1% indicates a very low probability of exploitation in the wild.

Generated by OpenCVE AI on June 5, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PyJWT library to version 2.13.0 or later.
  • If upgrading is not possible, restrict the set of allowable key identifiers by validating the kid field against a known whitelist before passing it to PyJWKClient.
  • Add application‑level rate limiting or caching of JWKS responses to prevent repeated outbound requests for unknown keys.

Generated by OpenCVE AI on June 5, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fhv5-28vv-h8m8 PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
History

Fri, 05 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 01 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyjwt Project
Pyjwt Project pyjwt
CPEs cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*
Vendors & Products Pyjwt Project
Pyjwt Project pyjwt

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Jpadilla
Jpadilla pyjwt
Vendors & Products Jpadilla
Jpadilla pyjwt

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
Title PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
Weaknesses CWE-460
CWE-755
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Jpadilla Pyjwt
Pyjwt Project Pyjwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:17:11.798Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48524

cve-icon Vulnrichment

Updated: 2026-05-28T19:17:03.739Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T16:16:29.403

Modified: 2026-06-01T17:44:55.037

Link: CVE-2026-48524

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T15:07:35Z

Links: CVE-2026-48524 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:00:06Z

Weaknesses
  • CWE-460

    Improper Cleanup on Thrown Exception

  • CWE-755

    Improper Handling of Exceptional Conditions

  • CWE-770

    Allocation of Resources Without Limits or Throttling