ByteOS Network

NVD Vulnerability Details :

CVE-2026-48524

Undergoing Analysis

Source-security-advisories@github.com

Published At-28 May, 2026 | 16:16

Updated At-28 May, 2026 | 18:03

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Type: Secondary

Version: 3.1

Base score: 3.7

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CWE ID	Type	Source
CWE-460	Primary	security-advisories@github.com
CWE-755	Primary	security-advisories@github.com

CWE ID: CWE-460

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-755

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8	security-advisories@github.com	N/A

Hyperlink: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8

Source: security-advisories@github.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History