PyJWT Security Flaw: Library Fails to Validate Critical JWT Headers, Violating RFC Mandate

A critical security vulnerability has been disclosed in PyJWT, a widely-used Python library for JSON Web Tokens. The flaw, tracked as CVE-2026-32597, stems from the library's failure to validate the `crit` (Critical) Header Parameter as mandated by RFC 7515. When a JWS token includes a `crit` array listing extensions that PyJWT does not understand, the library incorrectly accepts the token instead of rejecting it. This violation of a core RFC requirement creates a significant security gap in authentication and authorization flows that depend on the library.

The vulnerability is the same class of issue as the previously disclosed CVE-2025-59420 in the Authlib library, which received a CVSS score of 7.5 (High severity). The update in a GitHub pull request shows a direct dependency bump from PyJWT version `~=2.5.0` to the patched version `~=2.12.1`. This indicates that numerous projects relying on older versions of PyJWT are currently exposed and must take immediate action to apply the security patch.

The widespread use of PyJWT across the Python ecosystem for handling JWTs in web applications, APIs, and microservices means this vulnerability poses a substantial risk. Systems that have not been updated could be susceptible to token manipulation or acceptance of malformed tokens, potentially bypassing security controls. Developers and security teams must prioritize updating their dependencies to mitigate this critical compliance and security failure.