PyJWT Security Flaw: CVE-2026-32597 Exposes Critical JWT Validation Bypass

A critical security vulnerability in the widely-used PyJWT library allows attackers to bypass JWT signature validation, posing a direct threat to authentication systems across countless Python applications. The flaw, designated CVE-2026-32597, stems from the library's failure to properly validate the `crit` (Critical) Header Parameter as mandated by the JWT specification (RFC 7515). When a malicious token includes a `crit` array listing extensions unknown to PyJWT, the library incorrectly accepts the token instead of rejecting it, violating a core security requirement.

The vulnerability is present in versions prior to 2.12.0. The issue was addressed in the newly released PyJWT v2.12.0, which now correctly rejects tokens with unsupported critical extensions. This update is classified as a security fix, and the associated GitHub security advisory (GHSA-752w-5fwx-jx9f) provides detailed information. The flaw's impact is significant because JWTs are foundational for session management, API authentication, and single sign-on (SSO) implementations; a validation bypass could lead to unauthorized access and privilege escalation.

Development and security teams must treat this as a high-priority update. The vulnerability's discovery triggers automated dependency update requests, such as those from Renovatebot, highlighting the urgency for integration. Failure to patch leaves applications exposed to crafted JWT attacks that could compromise user accounts and backend services. All projects relying on PyJWT should immediately upgrade to version 2.12.0 to close this security gap.