CVE-2026-48522
Received Received - Intake
PyJWKClient Arbitrary File Read via SSRF

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-48522
EUVD
EUVD-2026-32915
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jpadilla pyjwt to 2.13.0 (exc)
jpadilla pyjwt 2.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to perform Server-Side Request Forgery (SSRF) attacks through the PyJWKClient component. Specifically, an attacker could cause the application to read arbitrary local files or fetch data using unsupported URL schemes like file:// or ftp://.

In a more severe chained attack, if the attacker has write access to the filesystem or can influence the jku URL derivation, they could plant a malicious JWKS file. This would enable them to forge tokens that the application would accept as valid, potentially bypassing authentication or authorization controls.

However, the direct impact is limited to SSRF and requires additional application-layer flaws for token forgery to succeed.


Can you explain this vulnerability to me?

CVE-2026-48522 is a vulnerability in the PyJWKClient component of the PyJWT Python library. Prior to version 2.13.0, PyJWKClient does not restrict the URL schemes it accepts when fetching JSON Web Key Sets (JWKS). This means it can fetch resources using schemes like file://, ftp://, and data:, in addition to HTTP/HTTPS.

If an attacker can influence the jku (JWK Set URL) parameter, for example through a JWT header or configuration, they can exploit this to perform Server-Side Request Forgery (SSRF). This could allow reading arbitrary local files or attempting other protocol fetches. Additionally, if the attacker can write to the targeted filesystem path, they could plant a malicious JWKS file and forge tokens that PyJWT would verify as valid.

The vulnerability is fixed in PyJWT version 2.13.0 by restricting allowed URL schemes to only HTTP and HTTPS.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your application uses PyJWT versions 2.12.1 or earlier and if it uses PyJWKClient to fetch JSON Web Key Sets (JWKS) without restricting URL schemes.

You can look for usage of the jku parameter in JWT headers or configuration files that might accept attacker-influenced URLs.

To detect potential exploitation attempts on your system or network, monitor for unusual file://, ftp://, or data: scheme requests originating from your application.

Specific commands depend on your environment, but examples include:

  • Use network monitoring tools like tcpdump or Wireshark to capture outgoing requests and filter for non-HTTP(S) schemes.
  • Search your codebase for PyJWKClient usage and check the PyJWT version with commands like `pip show pyjwt`.
  • Audit logs for suspicious access patterns or errors related to file://, ftp://, or data: URI fetches.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade PyJWT to version 2.13.0 or later, where the vulnerability is fixed.

This fixed version adds an allowed_schemes parameter to PyJWKClient that restricts URL schemes to only "https" and "http", preventing SSRF via file://, ftp://, or data: schemes.

If upgrading is not immediately possible, review and sanitize any inputs that influence the jku URL to ensure they cannot be attacker-controlled or contain disallowed schemes.

Additionally, monitor and restrict filesystem write access to paths that could be targeted for planting malicious JWK Sets.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart