PyJWT Security Flaw: Library Accepts Unknown Critical JWT Header Extensions (CVE-2026-32597)

A critical security vulnerability has been identified in PyJWT, a widely-used Python library for JSON Web Tokens. The flaw, tracked as CVE-2026-32597, allows the library to improperly accept JWS tokens containing unknown or unsupported 'crit' (Critical) header extensions. This behavior violates the RFC 7515 specification, which mandates that any listed critical extension not understood by the recipient must cause the token to be rejected. The failure to validate this parameter could enable attackers to craft tokens that bypass security checks, potentially leading to authentication or authorization failures in dependent applications.

The vulnerability is present in versions prior to 2.12.0. The issue stems from PyJWT's handling of the `crit` header array defined in section 4.1.11 of the JWS standard. When a token lists extensions in this array that the library does not recognize or support, PyJWT incorrectly processes the token as valid instead of rejecting it outright. This creates a potential vector for exploitation where malicious tokens could be engineered to be accepted by systems relying on PyJWT for security validation.

The maintainers have released PyJWT version 2.12.0 to address this security gap. The update enforces proper validation of the `crit` header, bringing the library into compliance with the RFC and closing the vulnerability. This patch is classified as a security update, prompting an automated dependency pull request via RenovateBot. Developers and organizations using PyJWT must upgrade immediately to mitigate the risk of token validation bypass, which could compromise the security of APIs, web applications, and microservices that depend on JWT for session management and access control.