{"vulnerability": "CVE-2026-48526", "sightings": [{"uuid": "c45639e4-1719-4798-a87d-e4f9e0da5462", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48526", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwksx74os2e", "content": "CVE-2026-48526 - PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed\nCVE ID : CVE-2026-48526\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior...", "creation_timestamp": "2026-05-28T17:38:22.790548Z"}, {"uuid": "f37007a3-5fbd-471b-9966-f4bba1f6fcf4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48526", "type": "seen", "source": "https://gist.github.com/alon710/93387c2165378ba3df7fa81047a5bf97", "content": "# CVE-2026-48526: CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT\n\n> **CVSS Score:** 7.4\n> **Published:** 2026-05-28\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48526\n\n## Summary\nCVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.\n\n## TL;DR\nAn algorithm-confusion vulnerability in PyJWT allows remote attackers to bypass authentication by signing forged tokens with a public JWK string treated as a symmetric HMAC secret.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-287\n- **Attack Vector**: Network\n- **CVSS**: 7.4\n- **EPSS Score**: 0.00017\n- **Impact**: High\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pyjwt (Python JSON Web Token Library)\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade pyjwt to version 2.13.0 or later.\n- Do not allow mixed algorithm families in jwt.decode calls.\n- Parse public keys explicitly using PyJWK rather than passing raw JSON strings.\n\n**Remediation Steps:**\n1. Run `pip install --upgrade pyjwt` to update to 2.13.0+.\n2. Review jwt.decode usage to ensure the algorithms list is restricted strictly to either symmetric (e.g. HS256) or asymmetric (e.g. RS256) families.\n3. Modify raw key-loading paths to parse JWK dictionaries using `jwt.PyJWK` before verification.\n\n## References\n\n- [NVD - CVE-2026-48526](https://nvd.nist.gov/vuln/detail/CVE-2026-48526)\n- [CVE-2026-48526 Record](https://www.cve.org/CVERecord?id=CVE-2026-48526)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48526) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T08:21:13.000000Z"}]}