{"uuid": "662973ac-bed3-4700-8fd3-dc9003c03df8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-fhv5-28vv-h8m8", "type": "seen", "source": "https://gist.github.com/alon710/1f95260cf4713d452e9aa65f49fefae4", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T17:41:21.000000Z"}