Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-32597 (GCVE-0-2026-32597)
Vulnerability from cvelistv5 – Published: 2026-03-12 21:41 – Updated: 2026-05-05 17:32
VLAI
EPSS
Title
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
Summary
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jpadilla/pyjwt/security/adviso… | x_refsource_CONFIRM |
| https://lists.debian.org/debian-lts-announce/2026… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32597",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T14:48:42.534762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T14:58:58.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-05T17:32:42.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pyjwt",
"vendor": "jpadilla",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T21:41:50.427Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f"
}
],
"source": {
"advisory": "GHSA-752w-5fwx-jx9f",
"discovery": "UNKNOWN"
},
"title": "PyJWT accepts unknown `crit` header extensions (RFC 7515 \u00a74.1.11 MUST violation)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32597",
"datePublished": "2026-03-12T21:41:50.427Z",
"dateReserved": "2026-03-12T14:54:24.269Z",
"dateUpdated": "2026-05-05T17:32:42.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32597",
"date": "2026-06-10",
"epss": "0.00014",
"percentile": "0.02597"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32597\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-13T19:55:09.500\",\"lastModified\":\"2026-05-05T18:16:02.140\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.\"},{\"lang\":\"es\",\"value\":\"PyJWT es una implementaci\u00f3n de JSON Web Token en Python. Antes de la 2.12.0, PyJWT no valida el par\u00e1metro de encabezado crit (Cr\u00edtico) definido en la RFC 7515 \u00a74.1.11. Cuando un token JWS contiene un array crit que lista extensiones que PyJWT no entiende, la biblioteca acepta el token en lugar de rechazarlo. Esto viola el requisito MUST en la RFC. Esta vulnerabilidad est\u00e1 corregida en la 2.12.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.12.0\",\"matchCriteriaId\":\"D2DD4AAA-0853-4F5A-A6BA-DB29F584BD6E\"}]}]}],\"references\":[{\"url\":\"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-05-05T17:32:42.698Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32597\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T14:48:42.534762Z\"}}}], \"references\": [{\"url\": \"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T14:48:58.019Z\"}}], \"cna\": {\"title\": \"PyJWT accepts unknown `crit` header extensions (RFC 7515 \\u00a74.1.11 MUST violation)\", \"source\": {\"advisory\": \"GHSA-752w-5fwx-jx9f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"jpadilla\", \"product\": \"pyjwt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.12.0\"}]}], \"references\": [{\"url\": \"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f\", \"name\": \"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 \\u00a74.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T21:41:50.427Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32597\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-05T17:32:42.698Z\", \"dateReserved\": \"2026-03-12T14:54:24.269Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T21:41:50.427Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
SUSE-SU-2026:1199-1
Vulnerability from csaf_suse - Published: 2026-04-07 10:25 - Updated: 2026-04-07 10:25Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issues:
- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).
Patchnames: SUSE-2026-1199,SUSE-SLE-Module-Public-Cloud-12-2026-1199
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 12:python-PyJWT-1.5.3-3.19.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 12:python3-PyJWT-1.5.3-3.19.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issues:\n\n- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1199,SUSE-SLE-Module-Public-Cloud-12-2026-1199",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1199-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1199-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261199-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1199-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045291.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-04-07T10:25:37Z",
"generator": {
"date": "2026-04-07T10:25:37Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1199-1",
"initial_release_date": "2026-04-07T10:25:37Z",
"revision_history": [
{
"date": "2026-04-07T10:25:37Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-PyJWT-1.5.3-3.19.1.noarch",
"product": {
"name": "python-PyJWT-1.5.3-3.19.1.noarch",
"product_id": "python-PyJWT-1.5.3-3.19.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-PyJWT-1.5.3-3.19.1.noarch",
"product": {
"name": "python3-PyJWT-1.5.3-3.19.1.noarch",
"product_id": "python3-PyJWT-1.5.3-3.19.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 12",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:12"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-PyJWT-1.5.3-3.19.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12:python-PyJWT-1.5.3-3.19.1.noarch"
},
"product_reference": "python-PyJWT-1.5.3-3.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-1.5.3-3.19.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12:python3-PyJWT-1.5.3-3.19.1.noarch"
},
"product_reference": "python3-PyJWT-1.5.3-3.19.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 12:python-PyJWT-1.5.3-3.19.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 12:python3-PyJWT-1.5.3-3.19.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 12:python-PyJWT-1.5.3-3.19.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 12:python3-PyJWT-1.5.3-3.19.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 12:python-PyJWT-1.5.3-3.19.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 12:python3-PyJWT-1.5.3-3.19.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-07T10:25:37Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
SUSE-SU-2026:1389-1
Vulnerability from csaf_suse - Published: 2026-04-16 09:19 - Updated: 2026-04-16 09:19Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issues:
- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).
Patchnames: SUSE-2026-1389,SUSE-SLE-Module-Public-Cloud-15-SP4-2026-1389,SUSE-SLE-Module-Python3-15-SP7-2026-1389,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1389,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1389,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1389,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1389,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1389,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1389,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1389,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1389,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1389,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1389,openSUSE-SLE-15.6-2026-1389
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Python 3 15 SP7:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:python311-PyJWT-2.8.0-150400.8.10.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issues:\n\n- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1389,SUSE-SLE-Module-Public-Cloud-15-SP4-2026-1389,SUSE-SLE-Module-Python3-15-SP7-2026-1389,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1389,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1389,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1389,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1389,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1389,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1389,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1389,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1389,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1389,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1389,openSUSE-SLE-15.6-2026-1389",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1389-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1389-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261389-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1389-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045612.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-04-16T09:19:26Z",
"generator": {
"date": "2026-04-16T09:19:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1389-1",
"initial_release_date": "2026-04-16T09:19:26Z",
"revision_history": [
{
"date": "2026-04-16T09:19:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"product": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"product_id": "python311-PyJWT-2.8.0-150400.8.10.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Python 3 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Python 3 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-python3:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Module for Python 3 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Python 3 15 SP7:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Python 3 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.8.0-150400.8.10.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
},
"product_reference": "python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Module for Python 3 15 SP7:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"openSUSE Leap 15.6:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Module for Python 3 15 SP7:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"openSUSE Leap 15.6:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Module for Python 3 15 SP7:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:python311-PyJWT-2.8.0-150400.8.10.1.noarch",
"openSUSE Leap 15.6:python311-PyJWT-2.8.0-150400.8.10.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-16T09:19:26Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
SUSE-SU-2026:1400-1
Vulnerability from csaf_suse - Published: 2026-04-16 10:47 - Updated: 2026-04-16 10:47Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issues:
- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).
Patchnames: SUSE-2026-1400,SUSE-SLE-Micro-5.5-2026-1400,SUSE-SLE-Module-Basesystem-15-SP7-2026-1400,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1400,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1400,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1400,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1400,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1400,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1400,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1400,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1400,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1400,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1400
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.5:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:python3-PyJWT-2.4.0-150200.3.11.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issues:\n\n- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1400,SUSE-SLE-Micro-5.5-2026-1400,SUSE-SLE-Module-Basesystem-15-SP7-2026-1400,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1400,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1400,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1400,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1400,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1400,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1400,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1400,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1400,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1400,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1400",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1400-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1400-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261400-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1400-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045601.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-04-16T10:47:53Z",
"generator": {
"date": "2026-04-16T10:47:53Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1400-1",
"initial_release_date": "2026-04-16T10:47:53Z",
"revision_history": [
{
"date": "2026-04-16T10:47:53Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"product": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"product_id": "python3-PyJWT-2.4.0-150200.3.11.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-PyJWT-2.4.0-150200.3.11.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
},
"product_reference": "python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Micro 5.5:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Micro 5.5:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Micro 5.5:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:python3-PyJWT-2.4.0-150200.3.11.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:python3-PyJWT-2.4.0-150200.3.11.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-16T10:47:53Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
SUSE-SU-2026:20839-1
Vulnerability from csaf_suse - Published: 2026-03-25 18:08 - Updated: 2026-03-25 18:08Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issue:
Update to PyJWT 2.12.1:
- CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616).
Changelog:
Update to 2.12.1:
- Add missing typing_extensions dependency for Python < 3.11 in
#1150
Update to 2.12.0:
- Annotate PyJWKSet.keys for pyright by @tamird in #1134
- Close HTTPError response to prevent ResourceWarning on
Python 3.14 by @veeceey in #1133
- Do not keep algorithms dict in PyJWK instances by @akx in
#1143
- Use PyJWK algorithm when encoding without explicit
algorithm in #1148
- Docs: Add PyJWKClient API reference and document the
two-tier caching system (JWK Set cache and signing key LRU
cache).
Update to 2.11.0:
- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @kurtmckee in #1105
- Validate key against allowed types for Algorithm family in
#964
- Add iterator for JWKSet in #1041
- Validate iss claim is a string during encoding and decoding
by @pachewise in #1040
- Improve typing/logic for options in decode, decode_complete
by @pachewise in #1045
- Declare float supported type for lifespan and timeout by
@nikitagashkov in #1068
- Fix SyntaxWarnings/DeprecationWarnings caused by invalid
escape sequences by @kurtmckee in #1103
- Development: Build a shared wheel once to speed up test
suite setup times by @kurtmckee in #1114
- Development: Test type annotations across all supported
Python versions, increase the strictness of the type
checking, and remove the mypy pre-commit hook by @kurtmckee
in #1112
- Support Python 3.14, and test against PyPy 3.10 and 3.11 by
@kurtmckee in #1104
- Development: Migrate to build to test package building in
CI by @kurtmckee in #1108
- Development: Improve coverage config and eliminate unused
test suite code by @kurtmckee in #1115
- Docs: Standardize CHANGELOG links to PRs by @kurtmckee in
#1110
- Docs: Fix Read the Docs builds by @kurtmckee in #1111
- Docs: Add example of using leeway with nbf by @djw8605 in
#1034
- Docs: Refactored docs with autodoc; added PyJWS and
jwt.algorithms docs by @pachewise in #1045
- Docs: Documentation improvements for "sub" and "jti" claims
by @cleder in #1088
- Development: Add pyupgrade as a pre-commit hook by
@kurtmckee in #1109
- Add minimum key length validation for HMAC and RSA keys
(CWE-326). Warns by default via InsecureKeyLengthWarning
when keys are below minimum recommended lengths per RFC
7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or
PyJWS to raise InvalidKeyError instead.
- Refactor PyJWT to own an internal PyJWS instance instead of
calling global api_jws functions.
Patchnames: SUSE-SL-Micro-6.2-445
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:python313-PyJWT-2.12.1-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issue:\n\nUpdate to PyJWT 2.12.1:\n\n- CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616).\n\nChangelog:\n\nUpdate to 2.12.1:\n\n - Add missing typing_extensions dependency for Python \u003c 3.11 in\n #1150\n\nUpdate to 2.12.0:\n\n - Annotate PyJWKSet.keys for pyright by @tamird in #1134\n - Close HTTPError response to prevent ResourceWarning on\n Python 3.14 by @veeceey in #1133\n - Do not keep algorithms dict in PyJWK instances by @akx in\n #1143\n - Use PyJWK algorithm when encoding without explicit\n algorithm in #1148\n - Docs: Add PyJWKClient API reference and document the\n two-tier caching system (JWK Set cache and signing key LRU\n cache).\n\nUpdate to 2.11.0:\n\n - Enforce ECDSA curve validation per RFC 7518 Section 3.4.\n - Fix build system warnings by @kurtmckee in #1105\n - Validate key against allowed types for Algorithm family in\n #964\n - Add iterator for JWKSet in #1041\n - Validate iss claim is a string during encoding and decoding\n by @pachewise in #1040\n - Improve typing/logic for options in decode, decode_complete\n by @pachewise in #1045\n - Declare float supported type for lifespan and timeout by\n @nikitagashkov in #1068\n - Fix SyntaxWarnings/DeprecationWarnings caused by invalid\n escape sequences by @kurtmckee in #1103\n - Development: Build a shared wheel once to speed up test\n suite setup times by @kurtmckee in #1114\n - Development: Test type annotations across all supported\n Python versions, increase the strictness of the type\n checking, and remove the mypy pre-commit hook by @kurtmckee\n in #1112\n - Support Python 3.14, and test against PyPy 3.10 and 3.11 by\n @kurtmckee in #1104\n - Development: Migrate to build to test package building in\n CI by @kurtmckee in #1108\n - Development: Improve coverage config and eliminate unused\n test suite code by @kurtmckee in #1115\n - Docs: Standardize CHANGELOG links to PRs by @kurtmckee in\n #1110\n - Docs: Fix Read the Docs builds by @kurtmckee in #1111\n - Docs: Add example of using leeway with nbf by @djw8605 in\n #1034\n - Docs: Refactored docs with autodoc; added PyJWS and\n jwt.algorithms docs by @pachewise in #1045\n - Docs: Documentation improvements for \"sub\" and \"jti\" claims\n by @cleder in #1088\n - Development: Add pyupgrade as a pre-commit hook by\n @kurtmckee in #1109\n - Add minimum key length validation for HMAC and RSA keys\n (CWE-326). Warns by default via InsecureKeyLengthWarning\n when keys are below minimum recommended lengths per RFC\n 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass\n enforce_minimum_key_length=True in options to PyJWT or\n PyJWS to raise InvalidKeyError instead.\n - Refactor PyJWT to own an internal PyJWS instance instead of\n calling global api_jws functions.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-445",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20839-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20839-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620839-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20839-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024998.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-03-25T18:08:28Z",
"generator": {
"date": "2026-03-25T18:08:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20839-1",
"initial_release_date": "2026-03-25T18:08:28Z",
"revision_history": [
{
"date": "2026-03-25T18:08:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"product": {
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"product_id": "python313-PyJWT-2.12.1-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-PyJWT-2.12.1-160000.1.1.noarch"
},
"product_reference": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:python313-PyJWT-2.12.1-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:python313-PyJWT-2.12.1-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:python313-PyJWT-2.12.1-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T18:08:28Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
SUSE-SU-2026:20869-1
Vulnerability from csaf_suse - Published: 2026-03-25 09:31 - Updated: 2026-03-25 09:31Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issue:
- CVE-2026-32597: validate the `crit` Header Parameter defined in RFC 7515 (bsc#1259616).
Patchnames: SUSE-SLE-Micro-6.0-642
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:python311-PyJWT-2.9.0-2.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issue:\n\n- CVE-2026-32597: validate the `crit` Header Parameter defined in RFC 7515 (bsc#1259616).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-642",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20869-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20869-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620869-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20869-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024972.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-03-25T09:31:26Z",
"generator": {
"date": "2026-03-25T09:31:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20869-1",
"initial_release_date": "2026-03-25T09:31:26Z",
"revision_history": [
{
"date": "2026-03-25T09:31:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-PyJWT-2.9.0-2.1.noarch",
"product": {
"name": "python311-PyJWT-2.9.0-2.1.noarch",
"product_id": "python311-PyJWT-2.9.0-2.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.9.0-2.1.noarch as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-PyJWT-2.9.0-2.1.noarch"
},
"product_reference": "python311-PyJWT-2.9.0-2.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:python311-PyJWT-2.9.0-2.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:python311-PyJWT-2.9.0-2.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:python311-PyJWT-2.9.0-2.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T09:31:26Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
SUSE-SU-2026:20879-1
Vulnerability from csaf_suse - Published: 2026-03-26 08:57 - Updated: 2026-03-26 08:57Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issues:
Update to PyJWT 2.12.1:
- CVE-2024-53861: prevent partial matching of the Issuer field (bsc#1234038).
- CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 (bsc#1259616).
Changelog:
Update to 2.12.1:
- Add missing typing_extensions dependency for Python < 3.11 in
#1150
Update to 2.12.0:
- Annotate PyJWKSet.keys for pyright by @tamird in #1134
- Close HTTPError response to prevent ResourceWarning on
Python 3.14 by @veeceey in #1133
- Do not keep algorithms dict in PyJWK instances by @akx in
#1143
- Use PyJWK algorithm when encoding without explicit
algorithm in #1148
- Docs: Add PyJWKClient API reference and document the
two-tier caching system (JWK Set cache and signing key LRU
cache).
Update to 2.11.0:
- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @kurtmckee in #1105
- Validate key against allowed types for Algorithm family in
#964
- Add iterator for JWKSet in #1041
- Validate iss claim is a string during encoding and decoding
by @pachewise in #1040
- Improve typing/logic for options in decode, decode_complete
by @pachewise in #1045
- Declare float supported type for lifespan and timeout by
@nikitagashkov in #1068
- Fix SyntaxWarnings/DeprecationWarnings caused by invalid
escape sequences by @kurtmckee in #1103
- Development: Build a shared wheel once to speed up test
suite setup times by @kurtmckee in #1114
- Development: Test type annotations across all supported
Python versions, increase the strictness of the type
checking, and remove the mypy pre-commit hook by @kurtmckee
in #1112
- Support Python 3.14, and test against PyPy 3.10 and 3.11 by
@kurtmckee in #1104
- Development: Migrate to build to test package building in
CI by @kurtmckee in #1108
- Development: Improve coverage config and eliminate unused
test suite code by @kurtmckee in #1115
- Docs: Standardize CHANGELOG links to PRs by @kurtmckee in
#1110
- Docs: Fix Read the Docs builds by @kurtmckee in #1111
- Docs: Add example of using leeway with nbf by @djw8605 in
#1034
- Docs: Refactored docs with autodoc; added PyJWS and
jwt.algorithms docs by @pachewise in #1045
- Docs: Documentation improvements for "sub" and "jti" claims
by @cleder in #1088
- Development: Add pyupgrade as a pre-commit hook by
@kurtmckee in #1109
- Add minimum key length validation for HMAC and RSA keys
(CWE-326). Warns by default via InsecureKeyLengthWarning
when keys are below minimum recommended lengths per RFC
7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or
PyJWS to raise InvalidKeyError instead.
- Refactor PyJWT to own an internal PyJWS instance instead of
calling global api_jws functions.
Update to 2.10.0:
* chore: use sequence for typing rather than list
* Add support for Python 3.13
* [pre-commit.ci] pre-commit autoupdate
* Add an RTD config file to resolve RTD build failures
* docs: Update iat exception docs
* Remove algorithm requirement for JWT API
* Create SECURITY.md
* docs fix: decode_complete scope and algorithms
* fix doctest for docs/usage.rst
* fix test_utils.py not to xfail
* Correct jwt.decode audience param doc expression
* Add PS256 encoding and decoding usage
* Add API docs for PyJWK
* Refactor project configuration files from setup.cfg to pyproject.toml PEP-518
* Add JWK support to JWT encode
* Update pre-commit hooks to lint pyproject.toml
* Add EdDSA algorithm encoding/decoding usage
* Ruff linter and formatter changes
* Validate sub and jti claims for the token
* Add ES256 usage
* Encode EC keys with a fixed bit length
* Drop support for Python 3.8
* Prepare 2.10.0 release
* Bump codecov/codecov-action from 4 to 5
Patchnames: SUSE-SLE-Micro-6.1-463
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issues:\n\nUpdate to PyJWT 2.12.1:\n\n- CVE-2024-53861: prevent partial matching of the Issuer field (bsc#1234038).\n- CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 (bsc#1259616).\n\nChangelog:\n\nUpdate to 2.12.1:\n\n - Add missing typing_extensions dependency for Python \u003c 3.11 in\n #1150\n \nUpdate to 2.12.0:\n\n - Annotate PyJWKSet.keys for pyright by @tamird in #1134\n - Close HTTPError response to prevent ResourceWarning on\n Python 3.14 by @veeceey in #1133\n - Do not keep algorithms dict in PyJWK instances by @akx in\n #1143\n - Use PyJWK algorithm when encoding without explicit\n algorithm in #1148\n - Docs: Add PyJWKClient API reference and document the\n two-tier caching system (JWK Set cache and signing key LRU\n cache). \n\nUpdate to 2.11.0:\n \n - Enforce ECDSA curve validation per RFC 7518 Section 3.4.\n - Fix build system warnings by @kurtmckee in #1105\n - Validate key against allowed types for Algorithm family in\n #964\n - Add iterator for JWKSet in #1041\n - Validate iss claim is a string during encoding and decoding\n by @pachewise in #1040\n - Improve typing/logic for options in decode, decode_complete\n by @pachewise in #1045\n - Declare float supported type for lifespan and timeout by\n @nikitagashkov in #1068\n - Fix SyntaxWarnings/DeprecationWarnings caused by invalid\n escape sequences by @kurtmckee in #1103\n - Development: Build a shared wheel once to speed up test\n suite setup times by @kurtmckee in #1114\n - Development: Test type annotations across all supported\n Python versions, increase the strictness of the type\n checking, and remove the mypy pre-commit hook by @kurtmckee\n in #1112\n - Support Python 3.14, and test against PyPy 3.10 and 3.11 by\n @kurtmckee in #1104\n - Development: Migrate to build to test package building in\n CI by @kurtmckee in #1108\n - Development: Improve coverage config and eliminate unused\n test suite code by @kurtmckee in #1115\n - Docs: Standardize CHANGELOG links to PRs by @kurtmckee in\n #1110\n - Docs: Fix Read the Docs builds by @kurtmckee in #1111\n - Docs: Add example of using leeway with nbf by @djw8605 in\n #1034\n - Docs: Refactored docs with autodoc; added PyJWS and\n jwt.algorithms docs by @pachewise in #1045\n - Docs: Documentation improvements for \"sub\" and \"jti\" claims\n by @cleder in #1088\n - Development: Add pyupgrade as a pre-commit hook by\n @kurtmckee in #1109\n - Add minimum key length validation for HMAC and RSA keys\n (CWE-326). Warns by default via InsecureKeyLengthWarning\n when keys are below minimum recommended lengths per RFC\n 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass\n enforce_minimum_key_length=True in options to PyJWT or\n PyJWS to raise InvalidKeyError instead.\n - Refactor PyJWT to own an internal PyJWS instance instead of\n calling global api_jws functions.\n \nUpdate to 2.10.0:\n \n * chore: use sequence for typing rather than list\n * Add support for Python 3.13\n * [pre-commit.ci] pre-commit autoupdate\n * Add an RTD config file to resolve RTD build failures\n * docs: Update iat exception docs\n * Remove algorithm requirement for JWT API\n * Create SECURITY.md\n * docs fix: decode_complete scope and algorithms\n * fix doctest for docs/usage.rst\n * fix test_utils.py not to xfail\n * Correct jwt.decode audience param doc expression\n * Add PS256 encoding and decoding usage\n * Add API docs for PyJWK\n * Refactor project configuration files from setup.cfg to pyproject.toml PEP-518\n * Add JWK support to JWT encode\n * Update pre-commit hooks to lint pyproject.toml\n * Add EdDSA algorithm encoding/decoding usage\n * Ruff linter and formatter changes\n * Validate sub and jti claims for the token\n * Add ES256 usage\n * Encode EC keys with a fixed bit length\n * Drop support for Python 3.8\n * Prepare 2.10.0 release\n * Bump codecov/codecov-action from 4 to 5\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-463",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20879-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20879-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620879-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20879-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/025052.html"
},
{
"category": "self",
"summary": "SUSE Bug 1234038",
"url": "https://bugzilla.suse.com/1234038"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53861 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53861/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-03-26T08:57:07Z",
"generator": {
"date": "2026-03-26T08:57:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20879-1",
"initial_release_date": "2026-03-26T08:57:07Z",
"revision_history": [
{
"date": "2026-03-26T08:57:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch",
"product": {
"name": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch",
"product_id": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
},
"product_reference": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53861",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53861"
}
],
"notes": [
{
"category": "general",
"text": "pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53861",
"url": "https://www.suse.com/security/cve/CVE-2024-53861"
},
{
"category": "external",
"summary": "SUSE Bug 1234038 for CVE-2024-53861",
"url": "https://bugzilla.suse.com/1234038"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-26T08:57:07Z",
"details": "important"
}
],
"title": "CVE-2024-53861"
},
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-26T08:57:07Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
SUSE-SU-2026:20934-1
Vulnerability from csaf_suse - Published: 2026-03-25 18:08 - Updated: 2026-03-25 18:08Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issue:
Update to PyJWT 2.12.1:
- CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616).
Changelog:
Update to 2.12.1:
- Add missing typing_extensions dependency for Python < 3.11 in
#1150
Update to 2.12.0:
- Annotate PyJWKSet.keys for pyright by @tamird in #1134
- Close HTTPError response to prevent ResourceWarning on
Python 3.14 by @veeceey in #1133
- Do not keep algorithms dict in PyJWK instances by @akx in
#1143
- Use PyJWK algorithm when encoding without explicit
algorithm in #1148
- Docs: Add PyJWKClient API reference and document the
two-tier caching system (JWK Set cache and signing key LRU
cache).
Update to 2.11.0:
- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @kurtmckee in #1105
- Validate key against allowed types for Algorithm family in
#964
- Add iterator for JWKSet in #1041
- Validate iss claim is a string during encoding and decoding
by @pachewise in #1040
- Improve typing/logic for options in decode, decode_complete
by @pachewise in #1045
- Declare float supported type for lifespan and timeout by
@nikitagashkov in #1068
- Fix SyntaxWarnings/DeprecationWarnings caused by invalid
escape sequences by @kurtmckee in #1103
- Development: Build a shared wheel once to speed up test
suite setup times by @kurtmckee in #1114
- Development: Test type annotations across all supported
Python versions, increase the strictness of the type
checking, and remove the mypy pre-commit hook by @kurtmckee
in #1112
- Support Python 3.14, and test against PyPy 3.10 and 3.11 by
@kurtmckee in #1104
- Development: Migrate to build to test package building in
CI by @kurtmckee in #1108
- Development: Improve coverage config and eliminate unused
test suite code by @kurtmckee in #1115
- Docs: Standardize CHANGELOG links to PRs by @kurtmckee in
#1110
- Docs: Fix Read the Docs builds by @kurtmckee in #1111
- Docs: Add example of using leeway with nbf by @djw8605 in
#1034
- Docs: Refactored docs with autodoc; added PyJWS and
jwt.algorithms docs by @pachewise in #1045
- Docs: Documentation improvements for "sub" and "jti" claims
by @cleder in #1088
- Development: Add pyupgrade as a pre-commit hook by
@kurtmckee in #1109
- Add minimum key length validation for HMAC and RSA keys
(CWE-326). Warns by default via InsecureKeyLengthWarning
when keys are below minimum recommended lengths per RFC
7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or
PyJWS to raise InvalidKeyError instead.
- Refactor PyJWT to own an internal PyJWS instance instead of
calling global api_jws functions.
Patchnames: SUSE-SLES-16.0-445
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issue:\n\nUpdate to PyJWT 2.12.1:\n\n- CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616).\n\nChangelog:\n\nUpdate to 2.12.1:\n\n - Add missing typing_extensions dependency for Python \u003c 3.11 in\n #1150\n\nUpdate to 2.12.0:\n\n - Annotate PyJWKSet.keys for pyright by @tamird in #1134\n - Close HTTPError response to prevent ResourceWarning on\n Python 3.14 by @veeceey in #1133\n - Do not keep algorithms dict in PyJWK instances by @akx in\n #1143\n - Use PyJWK algorithm when encoding without explicit\n algorithm in #1148\n - Docs: Add PyJWKClient API reference and document the\n two-tier caching system (JWK Set cache and signing key LRU\n cache).\n\nUpdate to 2.11.0:\n\n - Enforce ECDSA curve validation per RFC 7518 Section 3.4.\n - Fix build system warnings by @kurtmckee in #1105\n - Validate key against allowed types for Algorithm family in\n #964\n - Add iterator for JWKSet in #1041\n - Validate iss claim is a string during encoding and decoding\n by @pachewise in #1040\n - Improve typing/logic for options in decode, decode_complete\n by @pachewise in #1045\n - Declare float supported type for lifespan and timeout by\n @nikitagashkov in #1068\n - Fix SyntaxWarnings/DeprecationWarnings caused by invalid\n escape sequences by @kurtmckee in #1103\n - Development: Build a shared wheel once to speed up test\n suite setup times by @kurtmckee in #1114\n - Development: Test type annotations across all supported\n Python versions, increase the strictness of the type\n checking, and remove the mypy pre-commit hook by @kurtmckee\n in #1112\n - Support Python 3.14, and test against PyPy 3.10 and 3.11 by\n @kurtmckee in #1104\n - Development: Migrate to build to test package building in\n CI by @kurtmckee in #1108\n - Development: Improve coverage config and eliminate unused\n test suite code by @kurtmckee in #1115\n - Docs: Standardize CHANGELOG links to PRs by @kurtmckee in\n #1110\n - Docs: Fix Read the Docs builds by @kurtmckee in #1111\n - Docs: Add example of using leeway with nbf by @djw8605 in\n #1034\n - Docs: Refactored docs with autodoc; added PyJWS and\n jwt.algorithms docs by @pachewise in #1045\n - Docs: Documentation improvements for \"sub\" and \"jti\" claims\n by @cleder in #1088\n - Development: Add pyupgrade as a pre-commit hook by\n @kurtmckee in #1109\n - Add minimum key length validation for HMAC and RSA keys\n (CWE-326). Warns by default via InsecureKeyLengthWarning\n when keys are below minimum recommended lengths per RFC\n 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass\n enforce_minimum_key_length=True in options to PyJWT or\n PyJWS to raise InvalidKeyError instead.\n - Refactor PyJWT to own an internal PyJWS instance instead of\n calling global api_jws functions.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-445",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20934-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20934-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620934-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20934-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045218.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-03-25T18:08:28Z",
"generator": {
"date": "2026-03-25T18:08:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20934-1",
"initial_release_date": "2026-03-25T18:08:28Z",
"revision_history": [
{
"date": "2026-03-25T18:08:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"product": {
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"product_id": "python313-PyJWT-2.12.1-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
},
"product_reference": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-PyJWT-2.12.1-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
},
"product_reference": "python313-PyJWT-2.12.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T18:08:28Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…