Alerts This Week
Warning Icon 1 1,039
Alerts This Week
Warning Icon 1 1,039

SUSE Python-PyJWT Critical SSRF DoS Security Update 2026-2627-1

suse
Calendar Grey June 25, 2026
Dist Suse Esm H88
Install a crucial security update for python-PyJWT addressing multiple issues including unvalidated JSON Web Keys and SSRF risks.
An update that solves four vulnerabilities can now be installed.

Summary

## This update for python-PyJWT fixes the following issues * CVE-2026-48522: `PyJWKClient` passes URI arguments directly to `urllib.request.urlopen()` and allows for SSRF and token forgery (bsc#1266798). * CVE-2026-48523: verifier-side algorithm allow-list bypass when `jwt.decode()` or `jwt.decode_complete()` are called with a PyJWK key (bsc#1266799). * CVE-2026-48525: unbounded Base64URL decoding of unused payload segment in `b64=false` detached JWS allows for DoS (bsc#1266801). * CVE-2026-48526: no validation of use of JSON Web Keys in HMAC algorithm when decoding JSON Web Tokens allows for forged HS256 tokens (bsc#1266802). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

Topics%20covered

Topics Covered

security advisory SuSE DoS important python-PyJWT token forgery

References

* bsc#1266798

* bsc#1266799

* bsc#1266801

* bsc#1266802

Cross-

* CVE-2026-48522

* CVE-2026-48523

* CVE-2026-48525

* CVE-2026-48526

CVSS scores:

* CVE-2026-48522 ( SUSE ): 6.3

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

* CVE-2026-48522 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

* CVE-2026-48522 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

* CVE-2026-48523 ( SUSE ): 5.3

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

* CVE-2026-48523 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

* CVE-2026-48523 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

* CVE-2026-48525 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2026:2627-1
Release Date: 2026-06-25T08:13:21Z
Rating: important

Topics%20covered

Topics Covered

security advisory SuSE DoS important python-PyJWT token forgery

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here