CVE-2026-48522

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-48522
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48522.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-48522
Aliases
Downstream
Related
Published
2026-05-28T15:00:30.186Z
Modified
2026-06-18T18:29:22.378350403Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes
Details

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-441",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48522.json"
}
References

Affected packages

Git / github.com/jpadilla/pyjwt

Affected ranges

Type
GIT
Repo
https://github.com/jpadilla/pyjwt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7144e4534c34810f4525dc4578a32addd8212cff
Database specific 
{
    "cpe": "cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.13.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "2.13.0"
        }
    ]
}

Affected versions

0.*
0.1.6
0.1.9
0.2.0
0.2.2
0.2.3
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0
1.6.1
1.6.3
1.6.4
1.7.0
1.7.1
2.*
2.0.0
2.0.0a1
2.0.0a2
2.0.1
2.1.0
2.10.0
2.10.1
2.11.0
2.12.0
2.12.1
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.8.0
2.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48522.json"