Alerts This Week
Warning Icon 1 1,295
Alerts This Week
Warning Icon 1 1,295

openSUSE Python-PyJWT Important SSRF DoS Fixes Vuln 2026-21095-1

opensuse
Calendar Grey June 30, 2026
Dist Opensuse Esm H88
This openSUSE advisory details an important update for python-PyJWT addressing multiple security issues and fixes.
An update that solves 5 vulnerabilities and has 5 bug fixes can now be installed.

Description

This update for python-PyJWT fixes the following issues

- CVE-2026-48522: `PyJWKClient` passes URI arguments directly to `urllib.request.urlopen()` and allows for SSRF and

token forgery (bsc#1266798).

- CVE-2026-48523: verifier-side algorithm allow-list bypass when `jwt.decode()` or `jwt.decode_complete()` are called

with a PyJWK key (bsc#1266799).

- CVE-2026-48524: unlimited processing of JWTs with unknown kid values by `PyJWKClient.get_signing_key()` leads to

unbounded JWKS endpoint requests and DoS (bsc#1266800).

- CVE-2026-48525: unbounded Base64URL decoding of unused payload segment in `b64=false` detached JWS allows for DoS

(bsc#1266801).

- CVE-2026-48526: no validation of use of JSON Web Keys in HMAC algorithm when decoding JSON Web Tokens allows for

forged HS256 tokens (bsc#1266802).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

python313-PyJWT-2.12.1-160000.2.1

References

* bsc#1266798

* bsc#1266799

* bsc#1266800

* bsc#1266801

* bsc#1266802

References:

* https://www.suse.com/security/cve/CVE-2026-48522.html

* https://www.suse.com/security/cve/CVE-2026-48523.html

* https://www.suse.com/security/cve/CVE-2026-48524.html

* https://www.suse.com/security/cve/CVE-2026-48525.html

* https://www.suse.com/security/cve/CVE-2026-48526.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:21095-1
Rating: important
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here