CVE-2026-48524
Analyzed Analyzed - Analysis Complete
PyJWKClient Uncontrolled Resource Consumption via Unverified kid

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-48524
EUVD
EUVD-2026-32916
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyjwt_project pyjwt to 2.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
CWE-460 The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-48524 vulnerability affects the PyJWKClient component of the PyJWT Python library. When a JWT token with an unknown or manipulated 'kid' value is received, PyJWKClient makes a fresh HTTP request to the JWKS endpoint for every such token without any rate limiting. Since the 'kid' value comes from the unverified token header, an attacker can exploit this by sending many tokens with unknown 'kid' values, causing unlimited outbound requests.

This vulnerability only surfaces when fetching the JWKS fails, which can be triggered by sustained unknown-kid traffic. The issue is worsened by improper cache handling, where network errors clear the JWKS cache, leading to repeated requests and potential denial-of-service (DoS) conditions against the JWKS endpoint.

The vulnerability affects PyJWT versions 2.4.0 through 2.12.1 and has a low severity score (CVSS 3.7). It requires no privileges or user interaction and is exploitable over the network.

Impact Analysis

This vulnerability can lead to denial-of-service (DoS) attacks by causing excessive and unbounded HTTP requests to the JWKS endpoint. This can result in high network I/O latency and potentially overwhelm the JWKS endpoint, causing cascading failures.

Such an attack could degrade the availability and reliability of services relying on PyJWT for token verification, especially if the JWKS endpoint becomes unresponsive or rate-limited due to the attack.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive outbound HTTP requests to the JWKS endpoint, especially those triggered by JWT tokens with unknown or manipulated 'kid' values in their headers.

Network monitoring tools or logs can be used to identify repeated HTTP requests to the JWKS endpoint that bypass rate limiting.

While specific commands are not provided in the resources, you can use network traffic analysis commands such as:

  • tcpdump or tshark to capture and filter HTTP requests to the JWKS endpoint URL.
  • curl or wget commands to manually test the JWKS endpoint response behavior.
  • grep or jq to inspect JWT tokens for unknown or manipulated 'kid' values in logs.
Mitigation Strategies

The primary mitigation step is to upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed.

The fix includes adding a refresh cooldown and moving cache writes from the finally block to an else block to prevent unbounded JWKS endpoint requests.

Until the upgrade is applied, consider implementing network-level rate limiting or firewall rules to limit outbound requests to the JWKS endpoint.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart