CVE-2026-48524
PyJWKClient Uncontrolled Resource Consumption via Unverified kid
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jpadilla | pyjwt | to 2.12.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-460 | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. |
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-48524 vulnerability affects the PyJWKClient component of the PyJWT Python library. When a JWT token with an unknown or manipulated 'kid' value is received, PyJWKClient makes a fresh HTTP request to the JWKS endpoint for every such token without any rate limiting. Since the 'kid' value comes from the unverified token header, an attacker can exploit this by sending many tokens with unknown 'kid' values, causing unlimited outbound requests.
This vulnerability only surfaces when fetching the JWKS fails, which can be triggered by sustained unknown-kid traffic. The issue is worsened by improper cache handling, where network errors clear the JWKS cache, leading to repeated requests and potential denial-of-service (DoS) conditions against the JWKS endpoint.
The vulnerability affects PyJWT versions 2.4.0 through 2.12.1 and has a low severity score (CVSS 3.7). It requires no privileges or user interaction and is exploitable over the network.
How can this vulnerability impact me? :
This vulnerability can lead to denial-of-service (DoS) attacks by causing excessive and unbounded HTTP requests to the JWKS endpoint. This can result in high network I/O latency and potentially overwhelm the JWKS endpoint, causing cascading failures.
Such an attack could degrade the availability and reliability of services relying on PyJWT for token verification, especially if the JWKS endpoint becomes unresponsive or rate-limited due to the attack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive outbound HTTP requests to the JWKS endpoint, especially those triggered by JWT tokens with unknown or manipulated 'kid' values in their headers.
Network monitoring tools or logs can be used to identify repeated HTTP requests to the JWKS endpoint that bypass rate limiting.
While specific commands are not provided in the resources, you can use network traffic analysis commands such as:
- tcpdump or tshark to capture and filter HTTP requests to the JWKS endpoint URL.
- curl or wget commands to manually test the JWKS endpoint response behavior.
- grep or jq to inspect JWT tokens for unknown or manipulated 'kid' values in logs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed.
The fix includes adding a refresh cooldown and moving cache writes from the finally block to an else block to prevent unbounded JWKS endpoint requests.
Until the upgrade is applied, consider implementing network-level rate limiting or firewall rules to limit outbound requests to the JWKS endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.