Detection Guidance

This vulnerability can be detected by checking if your PyJWT implementation is using versions prior to 2.13.0 and if your verifier is configured to accept both asymmetric (e.g., RS256) and symmetric (e.g., HS256) algorithms in the same call while also accepting raw-JSON JSON Web Keys (JWKs) as secret keys.

To detect potential exploitation attempts on your system or network, you can look for tokens signed with HS256 that use the issuer's public key as the secret key. This requires inspecting JWT tokens and their signature algorithms.

While no specific commands are provided in the resources, a general approach includes:

• Extract JWT tokens from your logs or network traffic.
• Decode the tokens using tools like jwt.io or command-line utilities (e.g., `jwt decode` from jwt-cli).
• Check the algorithm field in the token header for HS256 or other HMAC algorithms.
• Verify if the secret key used corresponds to a public key in JWK format, which should not be accepted.

Additionally, you can audit your PyJWT library version by running a command like `pip show pyjwt` to confirm the installed version.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-48526 is a vulnerability in the PyJWT library (versions up to 2.10.1) that affects how JSON Web Tokens (JWTs) are verified when both asymmetric and symmetric algorithms are supported.

Specifically, the library does not properly validate the use of JSON Web Keys (JWKs) in HMAC algorithms. An attacker can exploit this by using the issuer's public key as the secret key for the HMAC algorithm, allowing them to forge tokens.

This happens because the verifier incorrectly uses the public key (provided as a raw JSON JWK) as the secret key for HMAC verification, enabling unauthorized identity or role impersonation.

The vulnerability requires that the verifier allows both HMAC and asymmetric algorithms in the same verification call and accepts a public-key JWK as the key.

This flaw is fixed in PyJWT version 2.13.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a full authorization bypass in applications using vulnerable versions of PyJWT.

An attacker can forge valid tokens by exploiting the improper verification process, allowing them to impersonate users or escalate privileges without proper authentication.

Such unauthorized access can compromise sensitive data and critical application functions, potentially leading to data breaches or unauthorized actions.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability in the PyJWT library allows an attacker to forge HS256 tokens and bypass authorization, potentially enabling unauthorized identity or role impersonation.

Such unauthorized access and impersonation can lead to breaches of confidentiality and integrity of sensitive data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure to adequately protect personal or health information.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade the PyJWT library to version 2.13.0 or later, where this vulnerability is fixed.

Additionally, review your JWT verification configuration to ensure that your verifier does not accept both asymmetric and symmetric algorithms in the same call, especially when using raw-JSON JWKs as keys.

Avoid passing public keys in JWK format as secret keys for HMAC algorithms.

If upgrading immediately is not possible, consider restricting the allowed algorithms to either only asymmetric or only symmetric algorithms, but not both simultaneously.

Useful 0 Not Useful 0