Alerts This Week
Warning Icon 1 548
Alerts This Week
Warning Icon 1 548

SUSE python-PyJWT Important DoS Issues Fixed SUSE-SU-2026-22138-1

suse
Calendar Grey June 17, 2026
Dist Suse Esm H88
Five vulnerabilities in python-PyJWT addressed by a security patch for SUSE enhance system protection. Update now!
An update that solves five vulnerabilities can now be installed.

Summary

## This update for python-PyJWT fixes the following issues * CVE-2026-48522: `PyJWKClient` passes URI arguments directly to `urllib.request.urlopen()` and allows for SSRF and token forgery (bsc#1266798). * CVE-2026-48523: verifier-side algorithm allow-list bypass when `jwt.decode()` or `jwt.decode_complete()` are called with a PyJWK key (bsc#1266799). * CVE-2026-48524: unlimited processing of JWTs with unknown kid values by `PyJWKClient.get_signing_key()` leads to unbounded JWKS endpoint requests and DoS (bsc#1266800). * CVE-2026-48525: unbounded Base64URL decoding of unused payload segment in `b64=false` detached JWS allows for DoS (bsc#1266801). * CVE-2026-48526: no validation of use of JSON Web Keys in HMAC algorithm when

Topics%20covered

Topics Covered

security advisory security issue SuSE DoS important python-PyJWT

References

* bsc#1266798

* bsc#1266799

* bsc#1266800

* bsc#1266801

* bsc#1266802

Cross-

* CVE-2026-48522

* CVE-2026-48523

* CVE-2026-48524

* CVE-2026-48525

* CVE-2026-48526

CVSS scores:

* CVE-2026-48522 ( SUSE ): 6.3

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

* CVE-2026-48522 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

* CVE-2026-48522 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

* CVE-2026-48523 ( SUSE ): 5.3

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

* CVE-2026-48523 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

* CVE-2026-48523 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

* CVE-2026-48524 ( SUSE ): 6.3

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2026:22138-1
Release Date: 2026-06-16T09:10:04Z
Rating: important

Topics%20covered

Topics Covered

security advisory security issue SuSE DoS important python-PyJWT

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here