PyJWT, a widely used JSON Web Token library for Python, allows an attacker to produce forged HS256 tokens by providing a public key in JSON Web Key (JWK) format and treating it as an HMAC secret. Because the library does not validate the use of JWKs when the algorithm is set to a symmetric HMAC family, an attacker can compute a valid HMAC signature using the public key bytes and bypass authentication checks that rely solely on the token's signature. This vulnerability enables the attacker to impersonate any user or system that accepts the token, potentially elevating privileges or accessing sensitive resources.

The issue affects all installations of the jpadilla:pyjwt package whose version is older than 2.13.0. Many Python applications, including web services, API gateways, and authentication frameworks, rely on this library for token validation, so any project embedding PyJWT v2.12.x or earlier is susceptible.

With a CVSS score of 7.4, the vulnerability represents a high‑severity risk. Although the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the attack vector is likely remote: an adversary can supply a forged token to any endpoint that accepts JWTs. If the application accepts the token without additional checks, the attacker can gain unauthorized access, compromising confidentiality and integrity of protected resources. The lack of a public exploit suggests that this vulnerability has not yet been widely leveraged, but the difficulty of proof of concept is low since the library is a common dependency.