This update for python-PyJWT fixes the following issues
- CVE-2026-48522: `PyJWKClient` passes URI arguments directly to `urllib.request.urlopen()` and allows for SSRF and
token forgery (bsc#1266798).
- CVE-2026-48523: verifier-side algorithm allow-list bypass when `jwt.decode()` or `jwt.decode_complete()` are called
with a PyJWK key (bsc#1266799).
- CVE-2026-48524: unlimited processing of JWTs with unknown kid values by `PyJWKClient.get_signing_key()` leads to
unbounded JWKS endpoint requests and DoS (bsc#1266800).
- CVE-2026-48525: unbounded Base64URL decoding of unused payload segment in `b64=false` detached JWS allows for DoS
(bsc#1266801).
- CVE-2026-48526: no validation of use of JSON Web Keys in HMAC algorithm when decoding JSON Web Tokens allows for
forged HS256 tokens (bsc#1266802).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can...
Read the Full Advisory- openSUSE Leap 16.0:
python313-PyJWT-2.12.1-160000.2.1
* bsc#1266798
* bsc#1266799
* bsc#1266800
* bsc#1266801
* bsc#1266802
References:
* https://www.suse.com/security/cve/CVE-2026-48522.html
* https://www.suse.com/security/cve/CVE-2026-48523.html
* https://www.suse.com/security/cve/CVE-2026-48524.html
* https://www.suse.com/security/cve/CVE-2026-48525.html
* https://www.suse.com/security/cve/CVE-2026-48526.html
Get the latest Linux and open source security news straight to your inbox.